b'<html>\n<title> - EVALUATING FDIC\'S RESPONSE. TO MAJOR DATA BREACHES:. IS THE FDIC SAFEGUARDING. CONSUMERS\' BANKING INFORMATION?</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                       EVALUATING FDIC\'S RESPONSE\n                        TO MAJOR DATA BREACHES:\n                        IS THE FDIC SAFEGUARDING\n                    CONSUMERS\' BANKING INFORMATION?\n\n=======================================================================\n\n                                 HEARING\n\n                               BEFORE THE\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             July 14, 2016\n\n                               __________\n\n                           Serial No. 114-88\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n \n \n       Available via the World Wide Web: http://science.house.gov\n       \n                              ______________\n                              \n                              \n                    U.S. GOVERNMENT PUBLISHING OFFICE\n20-917PDF                    WASHINGTON : 2017                 \n________________________________________________________________________________________              \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6007100f200315131408050c104e030f0d4e">[email&#160;protected]</a>  \n             \n              \n              \n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California\n    Wisconsin                        DANIEL LIPINSKI, Illinois\nDANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nMO BROOKS, Alabama                   ALAN GRAYSON, Florida\nRANDY HULTGREN, Illinois             AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut\nTHOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas\nJIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts\nRANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia\nJOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado\nSTEVE KNIGHT, California             PAUL TONKO, New York\nBRIAN BABIN, Texas                   MARK TAKANO, California\nBRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois\nBARBARA COMSTOCK, Virginia\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\nRALPH LEE ABRAHAM, Louisiana\nDARIN LaHOOD, Illinois\nWARREN DAVIDSON, Ohio\n                            \n                            \n                            C O N T E N T S\n\n                             July 14, 2016\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................     5\n    Written Statement............................................     7\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................    14\n    Written Statement............................................    16\n\n                               Witnesses:\n\nThe Honorable Martin J. Gruenberg, Chairman, FDIC\n    Oral Statement...............................................    18\n    Written Statement............................................    21\n\nMr. Fred W. Gibson, Acting Inspector General, FDIC\n    Oral Statement...............................................    38\n    Written Statement............................................    40\n\nDiscussion.......................................................    45\n\n             Appendix I: Answers to Post-Hearing Questions\n\nThe Honorable Martin J. Gruenberg, Chairman, FDIC................    82\n\nMr. Fred W. Gibson, Acting Inspector General, FDIC...............    89\n\n            Appendix II: Additional Material for the Record\n\nDocuments submitted by Representative Barry Loudermilk, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    94\n\nDocument submitted by Representative Randy Neugebauer, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................   170\n\nDocument submitted by Representative Gary Palmer, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    87\n\nDocument submitted by Representative Bruce Westerman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................   101\n\n \n                       EVALUATING FDIC\'S RESPONSE.\n                        TO MAJOR DATA BREACHES:.\n                        IS THE FDIC SAFEGUARDING.\n                    CONSUMERS\' BANKING INFORMATION?\n\n                              ----------                              \n\n\n                        THURSDAY, JULY 14, 2016\n\n                  House of Representatives,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Committee met, pursuant to call, at 10:07 a.m., in Room \n2318 of the Rayburn House Office Building, Hon. Lamar Smith \n[Chairman of the Committee] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Smith. The Committee on Science, Space, and \nTechnology will come to order.\n    Without objection, the Chair is authorized to declare \nrecesses of the Committee at any time.\n    Welcome to today\'s hearing titled ``Evaluating FDIC\'s \nResponse to Major Data Breaches: Is the FDIC Safeguarding \nConsumers\' Banking Information?\'\'\n    I\'ll recognize myself for an opening statement and then the \nRanking Member.\n    The Acting Inspector General\'s recent audit confirms \nexactly what the Committee\'s ongoing investigation revealed: \nFDIC continues to have significant cybersecurity weaknesses.\n    Over the course of the Committee\'s bipartisan \ninvestigation, we have learned a great deal about the FDIC and \nhow they conduct business. Yesterday we released an Interim \nReport by majority Committee staff.\n    The report contains the following findings: One: The FDIC \nhas historically experienced deficiencies related to its \ncybersecurity posture, and those deficiencies continue to be \npresent.\n    Two: The Chief Information Officer created a toxic work \nenvironment, misled Congress, and retaliated against \nwhistleblowers.\n    Three: The FDIC deliberately evaded Congressional \noversight.\n    The FDIC experienced at least eight major breaches that \nthey have determined met the reporting guidelines issued by the \nOffice of Management and Budget. The IG found that one of these \nbreaches required law enforcement involvement. This was the \nSeptember 2015, New York breach, in which a disgruntled \nemployee, without authorization, downloaded sensitive \nresolution plans, also referred to as living wills. This \nbreach, according to the IG\'s report and confirmed by a \nwitness\'s testimony during our ongoing investigation, revealed \nthat had the FDIC taken more than just the initial steps to \nimplement a formal insider threat program, this breach could \nhave been prevented or at the very least detected much earlier.\n    In a separate report, the IG found that the FDIC did not \nproperly interpret and apply the reporting criteria required by \na major incident, as articulated in the Office of Management \nand Budget memorandum. The OIG found that reasonable grounds \nexisted to deem the Florida breach major but the FDIC waited \nfour months to notify Congress.\n    The Committee is pleased that as a result of our hearing in \nMay, the FDIC began the process of contacting individuals whose \npersonally identifiable information had been compromised and \noffered them credit monitoring. The Committee also appreciates \nthe fact that after nearly four months, the FDIC is working to \nproduce all documents and communications that we have requested \nin multiple letters.\n    The agency initially produced redacted summaries of \nresponsive documents and a limited set of email communications, \nbut whistleblowers and the IG\'s staff immediately informed the \nCommittee that we were not getting the whole story.\n    This has been the overreaching theme of the Committee\'s \ndealings with the FDIC: we\'re not getting the whole story. \nBased on interviews and documents, there is a culture of \nconcealment at the FDIC.\n    For example, the Office of Legislative Affairs staff, \naccording to testimony, knowingly failed to provide the \nCommittee with a full and complete production of documents.\n    The Office of General Counsel\'s staff directed their \nemployees not to put certain opinions and analysis in emails or \nother written forms, presumably to avoid discovery through the \nCongressional oversight process.\n    This Committee takes seriously its cybersecurity \nresponsibilities under the Federal Information Security \nModernization Act of 2014, or FISMA, as well as our \nresponsibility to root out waste, fraud, abuse, and \nmismanagement.\n    Our investigation has identified serious management \ndeficiencies in the CIO\'s office. Certain FDIC employees \nbelieve that not only is he doing a poor job of protecting the \nagency\'s sensitive information technology, but also he\'s \ncreated a hostile work environment. One witness called Mr. \nGross ``vindictive,\'\' removing his staff from leading projects \nif they disagreed with his opinions.\n    The FDIC needs to be accountable for breaches of \ncybersecurity and responsive to the findings of our \ninvestigation.\n    We look forward to receiving all the requested documents \nand hearing about what steps the FDIC is taking to protect \nsensitive banking documents and taxpayers\' personal \ninformation.\n    [The prepared statement of Chairman Smith follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Smith. That concludes my opening statement, and \nthe gentlewoman from Texas, Eddie Bernice Johnson, is \nrecognized for hers.\n    Ms. Johnson. Thank you very much, Mr. Chairman, and welcome \nto our witnesses.\n    As we have learned over the course of many hearings before \nthis Committee, cybersecurity is a never-ending struggle. \nPublic and private entities alike are engaged in a constantly \nevolving challenge to prevent both intentional data breaches \nand unintentional dissemination of sensitive information.\n    Since the last hearing we held on data breaches at the \nFederal Deposit Insurance Corporation--the FDIC--just two \nmonths ago, 32 million Twitter users had their login \ncredentials compromised, Walmart\'s corporate headquarters \ndisclosed the unauthorized access to data of more than 27,000 \ncustomers, and the medical records of thousands of National \nFootball League--the NFL--players were compromised when a \nlaptop computer was stolen from a car.\n    Today is the Committee\'s second hearing on the FDIC\'s \nhandling of several data breaches that occurred since October \n2015 when the Office of Management and Budget--the OMB--issued \nnew cybersecurity guidance. The OMB memo, known as Memo 16-03, \nhelped to define what constitutes a major data breach and \nrequires reporting incidents designated as major to Congress \nwithin seven days of such a determination. Data from the FDIC \nis particularly sensitive, and may include personal banking \ninformation and data indicating potential criminal activity \nsuch as suspicious activity reports.\n    The agency failed to notify Congress of seven major data \nbreaches within the 7-day time frame that OMB requires from \nOctober 2015 through February 2016.\n    During our Oversight Subcommittee hearing on this topic in \nMay, the FDIC\'s Chief Information Officer described these data \nbreaches as inadvertent and occurring without malicious intent. \nThe FDIC Acting Inspector General, Mr. Fred Gibson, testified \nat that hearing and is a witness here today. His office \nreleased two audits of the FDIC\'s data breaches last week, and \nthe evidence his office gathered clearly shows that in at least \none of the seven breaches, the data was not taken accidentally. \nHis office is in the process of conducting a further forensic \nreview of the remaining six incidences.\n    I think it\'s fair to say that our May hearing yielded \nbipartisan agreement that the FDIC\'s interpretation of the OMB \nguidelines was flawed. It is also clear that FDIC did not \ninitially provide all documents responsive to the Committee\'s \nrequests.\n    However, I do not agree with my Majority colleagues as to \nwhat constitutes evidence of intent. The Majority is likely to \nallege that the CIO intentionally misled the Committee and that \nthe agency attempted to obstruct the Committee\'s investigation \ninto these events. I do not believe the Committee has uncovered \nconvincing evidence to support those allegations. I am not \ndismissing the testimony of some of the FDIC employees who have \nbeen interviewed but it is our responsibility to make sure we \nhave all of the evidence and have heard from all parties before \nwe begin to wave around serious allegations of criminal intent.\n    What I do believe is this. First, the recent reports issued \nby the Inspector General\'s office on the data breaches at FDIC \npoint to a series of corrective actions that I hope will \nimprove the agency\'s ability to appropriately respond to the \nmultiple cybersecurity threats we all face. I do believe the \nFDIC Chairman takes these issues seriously. He has a strong \ntrack record on responding to cybersecurity challenges, \nincluding holding his staff accountable.\n    Second, all federal agencies need strong, competent, \nindependent chief information officers--chief information \nsecurity officers, and I am glad that both the IG\'s office as \nwell as the Government Accountability Office, or GAO, are now \nengaged in separate reviews of the appropriate role, placement, \nand authorities of the Chief Information Security Officer at \nFDIC and other federal agencies.\n    And finally, while we investigate failures at different \nagencies to fully and properly implement federal cybersecurity \nrequirements, we should also support agency efforts to continue \nto strengthen their cybersecurity posture as the technologies \nand the threats rapidly evolve around them.\n    I look forward to hearing from both Mr. Gruenberg and \nActing IG Mr. Gibson.\n    Thank you, Mr. Chairman. I yield back.\n    [The prepared statement of Ms. Johnson follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Smith. Thank you, Mrs. Johnson.\n    Let me introduce our witnesses. Our first witness today is \nMr. Martin Gruenberg, Chairman of the Federal Deposit Insurance \nCorporation. Mr. Gruenberg previously served as Vice Chairman \nand Member of the FDIC Board of Directors. He was also Chairman \nof the Executive Council and President of the International \nAssociation of Deposit Insurers. Mr. Gruenberg received his \nbachelor\'s degree from Princeton University\'s Woodrow Wilson \nSchool of Public Policy and International Affairs and his J.D. \nfrom Case Western Reserve Law School.\n    Our second witness is Mr. Fred Gibson, Acting Inspector \nGeneral of the Federal Deposit Insurance Corporation. Mr. \nGibson previously has served with the Resolution Trust \nCorporation Office of Inspector General as Principal Deputy \nInspector General and Council to the Inspector General. Mr. \nGibson received his bachelor\'s degree in history from the \nUniversity of Texas at Austin and his master\'s degree in \nRussian area studies from Georgetown University. He also \nreceived his J.D. from the University of Texas School of Law.\n    We welcome you both, and Chairman Gruenberg, if you\'ll \nbegin?\n\n   STATEMENT OF THE HON. MARTIN J. GRUENBERG, CHAIRMAN, FDIC\n\n    Mr. Gruenberg. Thank you, Mr. Chairman. Chairman Smith, \nRanking Member Johnson, and members of the Committee, thank you \nfor the opportunity to appear before you today.\n    An effective information security and privacy program is \ncritical to the FDIC\'s mission of maintaining stability and \npublic confidence in the Nation\'s financial system.\n    My testimony today will discuss the recent incidents \npertaining to information security at the FDIC and our response \nto the two related Office of Inspector General audits.\n    The first audit was of the FDIC\'s controls for mitigating \nthe risk of an unauthorized release of sensitive resolution \nplans. As detailed in my written statement, on September 29, \n2015, the FDIC determined through use of our Data Loss \nPrevention software that immediately prior to resignation, an \nemployee in the FDIC\'s Office of Complex Financial Institutions \nhad transferred copies of sensitive resolution plans from the \ninternal network onto an unencrypted removable storage device, \nwhich was prohibited by FDIC policy. The FDIC notified the OIG \nof the incident on September 29, and law enforcement officials \nlater recovered the storage device from the former employee. \nThe OIG began an audit to determine the factors that \ncontributed to this incident, and to assess the adequacy of \nmitigating controls.\n    Its final audit report identified several weaknesses that \nthe FDIC needed to address and made six recommendations. We \nconcur with the findings and recommendations, and expect to \ncomplete implementation of our responsive actions by the end of \n2016. These include a recommendation that the FDIC establish an \nagency-wide insider threat program, which we have committed to \nfully implement by the end of this year. In addition, the OIG \nnoted that a key control intended to prevent users from copying \ninformation to removable media failed to operate as intended. \nWe are now installing a new software version that addresses the \nobserved defects and plan that installation to be completed by \nAugust 26.\n    The second audit I\'d like to address is the OIG\'s audit of \nthe FDIC\'s process for identifying and reporting major \nincidents, which stemmed from a breach of sensitive information \nthat\'s referenced in the OIG report as the "Florida Incident". \nThis incident involved a former FDIC employee who copied a \nlarge quantity of sensitive information to removable media and \ntook the information when departing FDIC employment on October \n15 of 2015. The FDIC detected the incident through its DLP \nsoftware on October 23. The employee, who was initially \nresistant, ultimately returned the device on December 8 of last \nyear.\n    Also during this time, on October 30 of last year, the \nOffice of Management and Budget issued guidance on the \nreporting of "major incidents". In initially assessing the \napplication of this new guidance and consistent with FDIC \npolicy and procedure, the CIO considered the incident\'s risk of \nharm and reached the conclusion that although it was a breach, \nit did not rise to the level of a "major incident".\n    On February 19 of this year, the FDIC received an OIG memo \nanalyzing the Florida incident in which the OIG concluded that \nthe FDIC had not properly applied the OMG guidance for \nclassifying the incident as a "major incident". The OIG found \nthat the FDIC had based its determination on mitigating factors \nrelating to "risk of harm", but that such factors are not \naddressed in the guidance and therefore are not relevant in \ndetermining whether or not incidents are major. The OIG \ndetermined that the FDIC should instead have reported the \nincident to Congress as a major incident no later than 7 days \nof having determined at least 10,000 Social Security Numbers \nwere involved.\n    Having received this OIG memorandum, the FDIC proceeded to \ngive Congressional notification on February 26 of this year. We \nthen reviewed other incidents that had occurred since issuance \nof the guidance and reported six additional incidents to \nCongress between March and May.\n    In retrospect, and in light of the OIG\'s report findings, \nwe should not have considered what we believed to be mitigating \nfactors when applying the OMB guidance. We also failed to \nprovide adequate context when reporting to Congress on the \nFlorida incident and should have notified the potentially \naffected individuals when the notice to Congress was given in \nFebruary.\n    We agree with the OIG conclusions and are working on each \nof their recommended corrective actions. Our expectation is \nthat taking the steps outlined in the responses to the OIG \nreports will minimize the potential for similar incidents. I \nwould note that the OIG\'s reports state that our planned \nactions are responsive and that the recommendations are \nresolved.\n    We have also discontinued the use of removable media at the \nFDIC except for limited exceptions for the GAO, OIG, and our \nlegal division. We will keep the OIG and Congress informed of \nour progress.\n    Finally, if I may add, Mr. Chairman, there have been \nreports about advanced, persistent threat incidents in 2010 and \n2011 at the FDIC. The Office of Inspector General provided me \nan investigative report back in May of 2013 on the incidents, \nwhich found that our Division of Information Technology did not \nfully inform me and other board members and senior executives \nabout the incidents. As a result of that OIG report, we took a \nnumber of steps including engaging an independent cybersecurity \nfirm to assist our system, and personnel changes were made.\n    Mr. Chairman, thank you again for the opportunity to \ntestify today and I\'d be happy to answer your questions.\n    [The prepared statement of Mr. Gruenberg follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Smith. Thank you, Chairman Gruenberg.\n    And Mr. Gibson.\n\n                STATEMENT OF MR. FRED W. GIBSON,\n\n                 ACTING INSPECTOR GENERAL, FDIC\n\n    Mr. Gibson. Thank you, Chairman Smith, Ranking Member \nJohnson, Members of the Committee. Thank you for the invitation \nto speak with you today.\n    Since I last testified before this Committee\'s Subcommittee \non Oversight, my office has completed two publicly available \naudits relating to the information security posture of the \nFDIC. Our first audit dealt with the FDIC\'s process for \nidentifying and reporting major incidents and focused on the \nreporting of one such incident, which is being referred to as \nthe Florida incident.\n    This incident involved a former FDIC employee who copied a \nlarge quantity of sensitive FDIC information to removable media \nand took this information when the employee left in October of \n2015. The FDIC detected the incident through its data loss \nprevention tool. We determined that although the FDIC had \nestablished various incident response policies, procedures, \nguidelines, and processes, these controls did not provide \nreasonable assurance that major incidents were identified and \nreported in a timely manner consistent with the law and OMB \nguidance. We made five recommendations that were intended to \nprovide the FDIC with greater assurance that major incidents \nare accurately identified and promptly reported\n    Our analysis of the Florida incident prompted the FDIC to \ninitiate a review of similar incidents involving departing \nemployees that occurred after the OMB issued applicable \nguidance in October of 2015. Based on its review between March \nand May 2016, the FDIC reported six additional incidents to the \nCongress as major. We are currently studying these incidents \nand the manner in which they were reported and expect to \ncomplete this work by mid-September.\n    In a second audit, we reviewed the Corporation\'s controls \nfor mitigating the risk of an unauthorized release of sensitive \nresolution plans. Under Dodd-Frank, designated systemically \nimportant institutions must provide resolution plans to federal \nbank regulators. These resolution plans, or living wills, \ncontain some of the most sensitive information that the FDIC \nmaintains.\n    In September 2015, an FDIC employee working in the FDIC\'s \nOffice of Complex Financial Institutions abruptly resigned from \nthe Corporation and took copies of non-public components of \nresolution plans without authorization and in violation of \nFDIC\'s policies. The incident is not one of the seven that the \nFDIC reported as major to the Congress. Our work identified a \nnumber of factors contributing to the security incident. We \nconcluded that an Insider Threat program would have better \nenabled the FDIC to deter, detect and mitigate the risk of an \nevent like this, and a key security control designed to prevent \nemployees with access to sensitive resolution plans from \ncopying electronic information to removable media had failed to \noperate as it was intended. Our report contains six \nrecommendations. One is that the FDIC establish a corporate-\nwide Insider Threat program.\n    The FDIC concurred with the recommendations we made in both \naudits and has outlined actions that would be responsive. We \nwill follow up carefully on the implementation of each of those \nrecommendations.\n    We will also complete this year\'s FISMA audit in the fall. \nThe report will build upon the work I\'ve described today and \nwill broadly assess the effectiveness of the FDIC\'s information \nsecurity program and practices.\n    In addition, we have ongoing work related to the FDIC\'s \nplans and actions to address earlier audit recommendations \npertaining to credentialing and multifactor authentication. We \nplan to initiate additional audit work in such areas as data \nbreach notification and the FDIC\'s information technology \nenterprise architecture.\n    Finally, we also have open investigations relating to \nseveral of these matters, which have not reached the stage \nwhere further public discussion would be appropriate.\n    In any case, thank you again. I look forward to answering \nany questions the Committee may have about these or any related \nmatters.\n    [The prepared statement of Mr. Gibson follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Smith. Thank you, Mr. Gibson, and I\'ll recognize \nmyself for questions.\n    Chairman Gruenberg, let me address my first one to you and \nsay that it\'s our understanding that no staff has been \nreprimanded for mishandling the cybersecurity breaches, no \nstaff has been reassigned because of the mishandling of \nbreaches, and the appearance is that no one\'s been held \naccountable for the breaches. I am just wondering why not.\n    Mr. Gruenberg. Thank you, Mr. Chairman. If I may, let me \ngive you my perspective on this, particularly in regard to our \nCIO, who I think has been the lead person responsible in this \nare. I understand this may not be consistent with your \nperspective but I wanted to give you my perspective for what \nit\'s worth from my position. As you know, the incident that \nprecipitated this, the Florida, so-called "Florida Incident", \noccurred on October 15, and was identified on October 23, and \nthe OMB guidance on major incident was issued on October 30, \nand our CIO began--assumed his responsibilities on November 2. \nSo what we had was sort of a confluence of developments. The \nbreach occurred and was identified, the guidance was issued, \nand our CIO assumed his new position. It was sort of presented, \nif I may say, with a pretty--for a guy just starting the job--a \npretty difficult situation to sort through. He had the breach \noccur. He had to--the decision was made that even though the \nbreach occurred before the issuance of the guidance there\'d be \nan effort made to apply the guidance to the breach, but it was \nnew guidance, first impression without real precedent to go by.\n    Chairman Smith. Right. Let me interrupt you just briefly.\n    You had six major breaches. One was so serious it involved \nlaw enforcement, and there were a number of individuals \ninvolved, not just the one CIO, but it appears that again no \nreprimands, no reassignments, no accountability for anyone, and \nthat sends a message that the breaches are not necessarily \nbeing taken seriously.\n    Mr. Gruenberg. Mr. Chairman, I assure you we have no higher \npriority at the FDIC than addressing these matters. We \ncertainly are prepared to consider the information provided by \nthe Committee and review and consider them in regard to the----\n    Chairman Smith. And this particular breach was not reported \nto the Committee for four months. Was there any good \nexplanation why the FDIC waited to report the incident?\n    Mr. Gruenberg. This is in regard to the Florida incident?\n    Chairman Smith. The Florida incident. Correct.\n    Mr. Gruenberg. If I could just complete my comments on \nthat.\n    The CIO, who is the responsible official, was trying to \nsort through the application of the new guidance to this \nincident. He utilized existing FDIC policy of considering the \nrisk of harm, applying the guidance, and utilizing mitigating \nfactors applying to risk of harm, and a conclusion was reached \nthat that incident was a breach that would be reportable under \nFISMA, but did not rise to the level of a "major incident". \nThat was the assessment made based on the facts available to \nthe CIO.\n    That occurred in December. When the OIG, who then was \nreviewing this matter, provided a memo in February, on February \n19 saying no, you got it wrong, these mitigating factors are \nnot provided in the guidance, they\'re not relevant----\n    Chairman Smith. There was a difference of opinion as to how \nyou define ``major\'\'?\n    Mr. Gruenberg. That\'s really what it came down to, and I \nguess what I want to suggest, and I understand there may be a \ndifference of view. While we may have gotten it wrong, while \nthe CIO may have gotten it wrong, I think, at least my \nperspective is, there was an honest effort here to review the \nguidance, consider mitigating factors, and make a reasonable \njudgment. The judgment may have been wrong, but I don\'t think \nthere was malintent here. That\'s what I wanted to convey.\n    Chairman Smith. Thank you, Chairman Gruenberg.\n    And Mr. Gibson, are you satisfied that the FDIC are taking \nthe necessary steps or will take the necessary steps to address \nyour findings?\n    Mr. Gibson. Sir, in our view, the FDIC has described \nactions that if taken will be responsive to the recommendations \nof each one of our audits. I mean, it\'s our intention to follow \nup with respect to the implementation of each one in order to \nensure both that they\'re implemented and that it\'s done so in \nan effective manner and that the effect of those actions \nachieves the goal that we were trying to achieve.\n    Chairman Smith. Okay. Thank you, Mr. Gibson.\n    I\'ll recognize the Ranking Member, Eddie Bernice Johnson, \nfor her questions, but let me say that I\'m going to need to \nshuttle between this Committee hearing and another committee \nhearing, so I\'m going to turn the chair over to the gentleman \nfrom Georgia, Mr. Loudermilk, and hope to return.\n    The gentlewoman from Texas is recognized for her questions.\n    Ms. Johnson. Thank you, Mr. Chairman.\n    Chairman Gruenberg, several years ago before the current \nCIO came to the agency, the FDIC suffered from a cyber-attack \nby a foreign government. I understand that a senior IT security \nstaff member failed to inform you about this breach at the \ntime. Once you found out about it, I also understand that you \ntook disciplinary actions against some of these individuals who \nfailed to inform you of this breach.\n    The FDIC IG\'s office says that in one of the recent data \nbreaches, known as the Florida Incident, your Chief of \nInformation Officer decided not to forward information to you \nabout the breach because he made the determination it was not a \nmajor incident and therefore did not need to pass this along \nfor your approval.\n    Given this history, are you taking any specific steps to \nensure that you are being kept well-informed of cybersecurity \nissues at your agency?\n    Mr. Gruenberg. Thank you, Congresswoman. We are, needless \nto say, very focused on this set of issues. As I indicated, \nthey are critical and essential to the functioning and \ncredibility of our agency, and we are engaging on a daily basis \nin terms of complying with all of the recommendations and \nimplementing all of the recommendations made by the OIG \nincluding implementing policies and procedures relating to \nmajor incidents that will assure the timely reporting to \nCongress if such incidents should occur again.\n    Ms. Johnson. Thank you.\n    Mr. Gibson, I understand that your office is undertaking \nreview of the role of the Chief Information Security Officer to \nmake sure that he or she has the authorities and independence \nnecessary to ensure a strong cybersecurity posture for the \nagency. I know that this review is just getting started, but \ncan you tell us what sorts of questions you are trying to \naddress and why you\'re conducting this in the first place?\n    Mr. Gibson. Yes, ma\'am. We believe that the Chief \nInformation Security Officer as a matter of principle should be \nin a position to speak up and in a position to inform those in \nthe corporation who need to know what the status is of \nincidents of information that may be relevant pertaining to the \nsecurity of the system. I\'m not sure that we have reached--we \nobviously haven\'t reached any conclusions yet but the goal is \nessentially to reach a reasoned assessment as to whether the \nCISO in current structure where the CISO reports to the Chief \nInformation Officer is able to provide that independent, \nsecurity-minded voice with respect to that information or \nwhether it\'s a position that should organizationally and from a \ngovernance standpoint be separated so that there\'s a degree of \nindependence and a degree of ability to speak up.\n    Ms. Johnson. Now, in regards to the seven data breaches \nreported to Congress by the FDIC as major incidences, do you \nbelieve that the circumstances in those specific cases gave the \nagency the discretion to determine that they were not major \nincidences as they initially were determined?\n    Mr. Gibson. We\'re still reviewing all six of those \nincidents so our work isn\'t complete. What I would say at this \npoint in time preliminarily is we believe they should all have \nbeen reported as major incidents consistent with 16-03.\n    Ms. Johnson. Thank you very much.\n    I yield back.\n    Mr. Loudermilk. [Presiding] I thank the lady from Texas, \nand now recognize myself for five minutes for questions.\n    Mr. Gruenberg, you had mentioned earlier that Mr. Gross was \nassessing the risk of harm as one of the reasons that it wasn\'t \nreported to Congress. I may remind you that risk of harm is not \none of the criteria in OMB. It\'s the scope and the type of \ndocuments which I think is clearly in the realm of what should \nhave been reported and reported within seven days, not in \nseveral months, but it\'s not the place of this Committee to try \nto micromanage the operations within FDIC, but when the \noperations puts at risk the safety and security of American \ncitizens or our national security, then it is our \nresponsibility, it\'s our duty to inject ourselves on behalf of \nthe American people.\n    And so in our previous hearing, we really looked at in \ndepth, as in depth we could, as to what happened in those data \nbreaches. Today I want to assess what is the response. Because \nI think it\'s important that we understand the direction that \nyou\'re taking. Is it effective? Are we actually trying to \ncorrect that as we go forward in still investigating what \nhappened and why the law was not followed? We also need to know \nwhat direction you\'re going.\n    Now, I understand that through testimony before that you \nhave a data loss-prevention program, DLP, that is, I believe, a \nSymantec program, that actually notified the FDIC and your data \nteam that this data had been copied, and so that kind of \nprompted your internal investigation into that. I also \nunderstand that Mr. Gross is now fast-tracking a number of \nother initiatives to show progress on remedying these security \nbreaches and, you know, normally this--we would take that as \ngood news that you\'re giving priority and importance to trying \nto resolve this, but it appears that some of these initiatives \nMr. Gross is spearheading are not the solutions that really are \ngoing to fix the problem but may exacerbate the problem and \nmake it worse.\n    Mr. Gruenberg, are you aware that Mr. Gross has planned \nout--planned a rollout of a Digital Rights Management System?\n    Mr. Gruenberg. Yes, Congressman.\n    Mr. Loudermilk. You are. Do you support that initiative?\n    Mr. Gruenberg. As it\'s been explained to me, it seems like \na reasonable step for us to take.\n    Mr. Loudermilk. Okay. And you trust that--is it Mr. Gross \nthat has explained that to you?\n    Mr. Gruenberg. Yes, sir.\n    Mr. Loudermilk. It has. Do you understand the benefit that \nDRM will have for cybersecurity protection at the FDIC?\n    Mr. Gruenberg. I have some understanding. I don\'t hold \nmyself out as a technology expert but I do have some \nunderstanding.\n    Mr. Loudermilk. Well, I spent 30 years in the IT business \nso I have somewhat of an understanding, but it is an evolving \nfield. Basically, the Digital Right Management is a method of \nencrypting and applying rules of access or non-access to \nspecific documents.\n    Mr. Gruenberg, I understand that the FDIC has this DLP \nthat--and as I brought up the DLP earlier, you were nodding \nthat yes, it did notify your data security team of that data \nbeing copied. Are you aware that the rollout of DRM will \nactually render DLP ineffective?\n    Mr. Gruenberg. Not to my understanding, Congressman.\n    Mr. Loudermilk. So you haven\'t been briefed that it would \nactually render ineffective the current security system that \nactually notified you of that breach?\n    Mr. Gruenberg. Not that I\'m aware of, no, sir.\n    Mr. Loudermilk. Let me mention an email provided to the \nCommittee by a whistleblower in the FDIC discussing the actual \nimpact DRM will have. This email was sent on July 1, 2016, so \nit was pretty recent, and the subject line reads ``risk to \nFDIC\'s data.\'\' Now, we have redacted the email and I am just \ngoing to summarize it, one, because we feel that if I read the \ndetails as it was written, it would provide--it would even \nexacerbate your current security risk that you have but also we \nhave concerns of retribution on the whistleblowers within your \norganization. Basically this is from a senior expert within the \nFDIC that says, and I summarize or paraphrase, that there is a \ngreat risk of losing control over your data by simply releasing \nDRM without a lot of other work being done first, especially \ndata classifications, labeling and access rights, which has not \nbeen done. It says each of these has to be done or essentially \napplying a DRM file will bypass the current DLP controls. This \nmakes DRM a high risk to undetected data loss. It sounds like \nan environment that is supported by CIO, Mr. Gross, doesn\'t \nreally understand what he\'s doing, and maybe he\'s just \nresponding to the inquiries of this Committee to show that he\'s \ndoing something but it will not actually have a positive effect \nbut actually have a negative effect.\n    How do these types of fundamental security conflicts arise \nat the FDIC? Do you feel Mr. Gross has been giving you the full \nextent of what the system will do?\n    Mr. Gruenberg. I do believe so, Congressman. I take very \nseriously the points you raise, and if I may, let us go back \nand take a look at the issue you raised, particularly in regard \nto DRM and its impact on the DLP. I think that\'s an important \npoint. If we may, let us look into it and we\'ll come back to \nyou.\n    Mr. Loudermilk. I appreciate it.\n    Now, I understand that right now there\'s no permanent Chief \nInformation Security Officer in place. Is that true?\n    Mr. Gruenberg. That is true. We\'re in the process of \nputting out a notice soliciting individuals for that position.\n    Mr. Loudermilk. Do you feel that position is very vital?\n    Mr. Gruenberg. Central, sir.\n    Mr. Loudermilk. But yet you\'re going ahead with the rollout \nor fast-tracking rollout of a security program without this \nposition being filled.\n    Mr. Gruenberg. I think, if I may say, in regard to--if \nyou\'re referencing DRM, I mean, that\'s still in the initial \nphase, so we will go back and consider the points you raised. \nThis is going to be done in a very careful and deliberate way, \nand if the issues you raise are on point, we\'ll obviously take \nthat into consideration.\n    Mr. Loudermilk. Well, I think it would be very advisable to \ndo that, and I\'m quickly--I\'ve exceeded my time. But does the \nFDIC have any classified material of any quantity?\n    Mr. Gruenberg. We do have a so-called SCIF.\n    Mr. Loudermilk. Is that information in danger if we \ncontinue to have conflicts like rolling out a DRM that will \ncircumvent the current security protocols you have in place?\n    Mr. Gruenberg. Not to my understanding but let me be sure I \nunderstand it before I give you a conclusive answer on that.\n    Mr. Loudermilk. My time\'s expired, and I now recognize the \ngentlewoman from Oregon, Ms. Bonamici, for five minutes.\n    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank \nyou for calling this hearing.\n    Chairman Gruenberg, can you provide us with an update of \nthe actions that the agency has taken to notify any individuals \naffected by all of the major data breaches? Have you offered \ncredit monitoring services, for example? And if they have not \nbeen notified, when will that happen?\n    Mr. Gruenberg. We are undertaking notifying and providing \ncredit monitoring to all the individuals affected by those \nseven breaches.\n    Ms. Bonamici. And Mr. Gibson, one of the two audit reports \nyou released last week looked at a data-breach case in New York \nand suggested that the Insider Threat program could have \npotentially helped prevent that data breach. That language is \npretty strong. The report mentions that the program was stalled \nin the fall of 2015. So will you please explain the importance \nof the Insider Threat program, and what happened? Why did it \nstall? Because that\'s a pretty serious issue.\n    Mr. Gibson. Sure. The Insider Threat program is an \noverarching program that allows the integration of information \nfrom multiple sources to assess whether an individual poses an \ninsider risk to an enterprise. I think it\'s commonly accepted \nwisdom, and it\'s probably good wisdom, that the most \nsignificant threats that most organizations are going to face \nare insider threats, in other words, the risk of an employee or \na person who\'s trusted within a computer network obtaining \naccess or misusing access to data that\'s contained within or \nhoused within a particular system. So we think that an Insider \nThreat program is an extremely important thing to do.\n    The program itself consists of a variety of different \npieces, but beyond that, what\'s necessary is an overarching \ngoal.\n    Ms. Bonamici. I understand that, and I don\'t mean to \ninterrupt----\n    Mr. Gibson. That\'s----\n    Ms. Bonamici. --but why did it stall in the fall?\n    Mr. Gibson. That is unclear. I think that we\'ve heard two \ndifferent versions of the story as to why it stalled in the \nfall. From a senior management perspective, we\'ve been told \nthat there was concern that components of the program were \nconducting an investigation that was going too far and too fast \nwith respect to an employee and that they needed to establish \npolicies, procedures, standard operating procedures, and a \nmeans for managing the work that was being done before it \ncontinued.\n    We\'ve heard kind of a different story at a different level \nof the organization where they believe that they were in \nessence directed to stop, and they got the message that there \nwasn\'t----\n    Ms. Bonamici. I want to try to get another question in but \nI know that the Committee would appreciate follow-up on that \nwhen you determine exactly why that failed.\n    Mr. Gibson. Okay.\n    Ms. Bonamici. I wanted to follow up on Mr. Loudermilk\'s \nquestioning, and I think this is best directed to you, Mr. \nGibson.\n    The FDIC implemented a new version of its data loss \nprevention tool last September, and it was apparently the \nsoftware that allowed you to identify the recent major data \nbreaches but your office looked at the implementation of this \ntool, found some problems from September 2015 to the end of \nFebruary 2016. The software identified 604,178 potential \nsecurity violations and nearly 400,000 of those were related to \nremovable media.\n    So it\'s my understanding that ultimately it was up to some \nindividual to sort through those incidents and determine which \nare the most suspicious in order to see if they were legitimate \ndownloads or indicated potential unauthorized activity, which \nseems a little bit like looking for a needle in a haystack.\n    So do you think that this DLP is a useful cybersecurity \ntool? What do you need to do to ensure it\'s used effectively? \nAnd just to follow up on Mr. Loudermilk\'s question, apparently \nnow you\'re doing something that\'s inconsistent with that. And \nfinally, since you\'ve eliminated the removable media usage, has \nthere been a reduction in the incidents that have been flagged \nby this DLP program?\n    Mr. Gibson. Let me answer that as best I can. I think that \nthe DLP tool as a tool is a tremendously important and helpful \ntool. I think that it requires a higher level of resources in \norder to be timely and effective. I would agree that digging \nthrough the volume of reports that the individual who\'s tasked \nwith that has had to dig through really is a little like \nlooking for a needle in a haystack, and I think that could be \nresolved, you know, by devoting some additional resources to \nit, and we\'ve recommended that that be resourced differently. \nThere may be other technical approaches that can be used as \nwell. I wouldn\'t be the person to address that.\n    Ms. Bonamici. By ``additional resources,\'\' do you mean \nadditional people looking for the needles in the haystack or do \nyou mean some other approach?\n    Mr. Gibson. Both.\n    Ms. Bonamici. Mr. Gruenberg?\n    Mr. Gruenberg. Congresswoman, if I can just add to that, I \nthink a large percentage of the incidents being identified by \nthe technology was a result of the use of removable media. So \nby discontinuing the use of removable media, we hope that\'s \ngoing to substantially reduce the number of incidents and allow \nfor the more effective use of the technology.\n    Ms. Bonamici. And you said you hope that it does, but do \nyou know yet, have the--has there been a reduction in incidents \nflagged by the DLP program since the elimination of removable--\n--\n    Mr. Gruenberg. It\'s obviously a recent development. We can \ncheck into that and come back to you.\n    Ms. Bonamici. Terrific. Thank you very much.\n    I yield back. Thank you, Mr. Chairman.\n    Mr. Loudermilk. The Chair now recognizes the gentleman from \nTexas, Mr. Neugebauer, for five minutes.\n    Mr. Neugebauer. Thank you, Mr. Chairman.\n    Chairman Gruenberg, through the course of this Committee\'s \ntranscribed interviews of FDIC employees, it is clear that CIO \nLarry Gross\'s fast-tracking a number of initiatives to show \nprogress in remedying these cybersecurity breaches, and some of \nthose have been mentioned. Normally, as the Chairman said, that \nwould be welcome news, although it appears that some of these \ninitiatives spearheaded by Mr. Gross are not the fixes needed.\n    Chairman Gruenberg, are you aware of Mr. Gross\'s initiative \nto replace all desktops at the FDIC with laptops?\n    Mr. Gruenberg. Yes, Congressman.\n    Mr. Neugebauer. And do you support that, and do you think \nthat\'s a good idea?\n    Mr. Gruenberg. As presented to me, it seems like a \nreasonable step to take. We\'re going to be implementing that in \na careful and deliberate way. The use of laptops will enhance \nboth the mobility and the continuity challenges that we face \nwith our workforce. I think that\'s been part of the objective \nhere.\n    Mr. Neugebauer. Do you know what that\'s going to cost?\n    Mr. Gruenberg. I can get that for you. You know, we \nprovided laptops to our field employees in the previous year, \nand so this round is to provide it for our Washington \nemployees.\n    Mr. Neugebauer. So are you aware that a number of security \nexperts at the FDIC strongly believe that replacing the \ndesktops with laptops increases cybersecurity risk?\n    Mr. Gruenberg. Look, I understand that there have been some \nstatements to the Committee, and let me say, I\'m sure those \nstatements were made with good intent, and I appreciate the \npoints raised. What we will do is, as for the points \nCongressman Loudermilk raised in regard to the DLP and DRM, is \nlook into them, and, if we may, report back to you.\n    Mr. Neugebauer. Well, just a little side note here. I think \nthat the plan here has been to keep employees from taking data \noffsite, if I\'m not mistaken, and if you start furnishing \nlaptops with that information on there, it looks like to me \nwe\'re moving in a different direction here, but----\n    Mr. Gruenberg. Can I respond to that, Congressman?\n    Mr. Neugebauer. Yes.\n    Mr. Gruenberg. For what it\'s worth, and again, I want to be \npretty cautious about representing myself in regard to \ntechnology, the laptops have value for both mobility and \ncontinuity of operations. If our operations are disrupted, \nthere\'s value in our employees having that capability as well \nas tele-work. I think the belief is--and again, we\'ll review \nand come back to you on this--that a government-furnished \nequipment such as a laptop may be a more secure way to achieve \nthat objective.\n    Mr. Neugebauer. Well, I would suggest you look into that \nbecause I know a number of people are telling Mr. Gross that \nthey don\'t think that\'s a good idea, and it appears that he\'s \nnot listening, so I would encourage you to do your own due \ndiligence.\n    Let me show you some testimony from former Acting Chief \nInformation Officer and now Deputy CIO when asked about Larry \nGross\'s laptop initiative. Put the slide up there.\n    [Slide.]\n    Question: ``Are you--could you tell us a little bit more \nabout the laptops. So under this new plan, would it replace the \ndesktops that employees have at the agency?\'\' The answer was, \n``It\'s not clear, and this is one of the things that has not \nbeen thought through. Some of the questions are, so is this--\nwill this replace the desktop. So do you have both? So now I \nhave a laptop and I have to take that back and forth. Now, \nagain, I\'m looking at it from a security perspective. Our focus \nhas been security. What is the risk, you know? Why spend $5 \nmillion? Is this really going to help security posture for FDIC \nin terms of your spending something and you don\'t know what \nyou\'re getting in return from the security perspective. There \nare many other things we can be doing to improve security \nposture at FDIC, and this is not at the top of the list, but \nthis is what happens when decisions are made at the top level \nwithout including subject matter experts, folks from divisions, \nfrom business, and there\'s artificial deadlines imposed by this \nJuly 31st that are supposed to do all of this.\'\'\n    Mr. Gruenberg, there are other examples of similar \ntestimony from IT and security experts at FDIC. I mean, I\'m \nbeginning to question Mr. Gross\'s proficiency in his job. Are \nthese alarming to you?\n    Mr. Gruenberg. Let me say, you raised--the points you \nraised, I think, are serious ones, and we\'ll take the \nopportunity if we may to review them and perhaps come back to \nyou.\n    I would just say in regard to Mr. Gross, I think it\'s fair \nto say our Vice Chairman, Tom Hoenig\'s, perspective is one we \nbelieve Mr. Gross is a capable professional, and it\'s fair to \nsay he assumed his position on November 2nd of last year so \nhe\'s been on the job for 9 or 10 months. I think our sense is--\nand believe me, we will carefully consider the points you \nraised--but I think our sense is, we\'d like to give him an \nopportunity to do the job and we\'ll evaluate that and I assure \nyou we will hold him accountable, but we don\'t want to--we want \nto at least give him a fair chance to see-\n    Mr. Neugebauer. Well, my parting comment is, as you know, \nand you and I both know, is that one of the things that your \nagency does is hold the financial institutions that you \nregulate under very high data security standards, and as you \nshould because we\'re handling very sensitive information. I \nthink it\'s extremely important that the FDIC set an example in \nthat area, and I don\'t believe we\'re accomplishing that goal.\n    Mr. Loudermilk. I thank the gentleman, and Mr. Gruenberg, \nit sounds like the issue we\'re facing at FDIC is data getting \nout of the FDIC, and I would think that you would want to make \nit more difficult for employees to take data out, not make it \neasier with laptops. Maybe you should invest in a set of chains \nand locks instead of laptops.\n    At this point I recognize the gentleman from Illinois, Mr. \nFoster, for five minutes.\n    Mr. Foster. Thank you, Mr. Chairman, and thank you for \neverything that the FDIC does to make banking safer.\n    One of my favorite graphs in the universe is the number of \nbank failures as a function of calendar year from the Civil War \nto today where you see that banks back in the days of when it \nwas the Wild West before the FDIC, you saw that hundreds of \nbanks would fail in a typical year, and when the FDIC and \nrelated regulation came in, before we decided to dismantle it, \nwe saw essentially zero bank failures and banks became a safe \nplace. And so I want to thank you for everything that you\'ve \nproven capable of.\n    Now, a couple of specific questions. The laptop thing, are \nthese thin client laptops or are these full capability laptops \nwith the data on drives and, you know, Bluetooth ports and all \nthese sort of potential data leaks?\n    Mr. Gruenberg. If I may, rather than answering that off the \ntop, can I come back to you on that point?\n    Mr. Foster. Okay. Do you know in a general sense how your \nsecurity compares to the security, say, at a large, \nsophisticated law firm or a large bank where they hold equally \nsensitive information. For example, do they allow employees to \ntelecommute with sensitive data on laptops with what level of \nencryption, et cetera? As a very high-level question, could you \nsort of compare the fraction of your budget devoted to \ncybersecurity compared to, you know, what a large, \nsophisticated bank, for example, or large law firm would do? \nThat would be a very useful comparison to find out whether \nyou\'re underinvesting in this or whether it\'s just a problem \nthat everyone is wrestling with.\n    Now, in relation to the removal of the portable storage \ndevices there is an enormous data leak that everyone carries \naround in their pocket, and it\'s the very simple way of just \ntaking pictures of screenshot. If you have access to read the \nclear text of a document, you can take a picture of it, and \nunless you plan to confiscate cell phones, it\'s very hard. \nThere\'s a large class of insider attacks that you can imagine \nbased on simply the existence of a cell phone in the employee\'s \npossession, and, that is the sort of thing they do. If you\'re \ntalking about nuclear bomb designs, you cannot carry cell \nphones in. Is that the level of security that you plan on \ninvesting in or is there some intermediate level and you just \nlive with the risks that are allowed that are intrinsic in that \nlower level?\n    Mr. Gruenberg. You raise an important point. We\'ve \naddressed the removable media issue. We\'re in the process of \naddressing paper production and controlling paper production as \nwell. The issue you raised of snapping of a photograph of a \nscreen and taking it with you is an issue we need to address \nbut that\'s a significant challenge.\n    Mr. Foster. And a large number of secret ways of streaming \nthe data out if you\'re allowed to download an executable on a \nlaptop you own. There are many ways to communicate with similar \nprograms on a cell phone that are going to be difficult to \ndetect.\n    So I was just was wondering if you see the endpoint here to \nbe the endpoint comparable to nuclear security or comparable to \nbest practices at a big bank.\n    Mr. Gruenberg. That\'s a--you know, I don\'t know--I would \nlike to think we would at a minimum achieve best practices for \nboth government agencies and the private sector. I think that \nwould be a reasonable objective for us.\n    Mr. Foster. And are you looking at the tradeoff between \njust cloud-based everything and just thin clients with no real \ndata storage locally, which is in some people\'s view the best \npractice endpoint for this, versus the dangers of even having \nemployees with encrypted data that they sometimes can forget to \nencrypt on their laptops and carry home and lose the laptop and \nthat sort of fun class of data breach.\n    Mr. Gruenberg. That\'s also a set of issues we have under \nreview.\n    Mr. Foster. Okay. Are there conferences where all the \nfederal agencies and the best and brightest in industry get \ntogether and identify the best practices in this pretty \nterrifying environment?\n    Mr. Gruenberg. There has been an enormous amount of \ninteraction first among the federal agencies related to \ncybersecurity and expanded efforts for interaction with \nindustry. I think there\'s an understanding that there needs to \nbe a level of collaboration between the public and private \nsectors to begin to get arms around the cyber issue, and there \nare committees that have been established both made up of the \nfederal agencies and made up of industry that also interact \ntogether in terms of trying to increase cooperation.\n    Mr. Foster. So you\'re not really going off in a corner and \ninventing something new? You\'re collaborating with what is \nreally a government-wide--at least government-wide if not \nindustry-wide?\n    Mr. Gruenberg. I think that\'s fair to say.\n    Mr. Foster. Okay. Let\'s see. One last thing if I may, one \nlast question. Can you contrast your level of security compared \nto the very, very large number of state banking regulators? \nWould you hazard a guess as to whether there\'re likely state \nbank regulators out there that have comparable vulnerabilities?\n    Mr. Gruenberg. Well, it\'s a fair question. I\'m not sure I\'m \nin a position to comment on it.\n    Mr. Foster. Okay.\n    Mr. Gruenberg. I would say as a general matter, it wouldn\'t \nsurprise me if our level of investment were greater given the \nresources, but you\'d really have to look into it.\n    Mr. Foster. All right. Thank you.\n    Yield back.\n    Mr. Loudermilk. The Chair recognizes the gentleman from \nOklahoma, Mr. Bridenstine.\n    Mr. Bridenstine. Thank you, Mr. Chairman.\n    Mr. Gruenberg, you have said that the FDIC takes seriously \nits commitment to improving its cybersecurity posture. Is that \ncorrect?\n    Mr. Gruenberg. Yes, sir.\n    Mr. Bridenstine. And you have said that improving the \ncybersecurity posture of the FDIC is one of your highest \npriorities. Is that correct?\n    Mr. Gruenberg. Yes, sir.\n    Mr. Bridenstine. So why is it that you don\'t do strategic \nIT planning?\n    Mr. Gruenberg. Well, it\'s my understanding that under the \nCIO\'s direction that that is done, but let me check on that to \nbe sure that\'s an accurate answer.\n    Mr. Bridenstine. Mr. Gibson, do you agree that strategic IT \nplanning is done at FDIC?\n    Mr. Gibson. Sir, I\'ve never really looked at that question. \nIf you could help me out a little bit, what exactly do you mean \nby ``strategic IT planning\'\'?\n    Mr. Bridenstine. Well, the idea that we\'re not reactionary \nbut instead we\'re planning ahead of time and not just reacting \nto every individual incidence.\n    Mr. Gibson. Well, one of the subjects that we intend to \nlook at in the very near future is the whole question of \nenterprise architecture. Enterprise architecture basically is \nunderstanding the design of the FDIC\'s network and its overall \nIT system and its IT structure. We\'ve commented for years that \nwe thought that more resources or effort needed to be placed in \nthe enterprise architecture area. We intend to look at it \nspecifically now because we do place great value on that in \nterms of being able to direct the resources and investment that \nare being made and understand better the networking and the \nsecurity components of the environment that we\'re looking at. \nTo the extent that that helps answer the question, it\'s \nsomething that we\'ll be looking at very specifically in the \nnear future.\n    Mr. Bridenstine. That\'s perfect.\n    And Mr. Gruenberg, will you commit to evaluating the entire \nIT enterprise architecture and moving forward with strategic IT \nplanning?\n    Mr. Gruenberg. Yes, Congressman, I think that\'s an \nexcellent suggestion. Thank you.\n    Mr. Bridenstine. Okay. Mr. Chairman, I yield back.\n    Mr. Loudermilk. The Chair recognizes the gentleman from \nColorado, Mr. Perlmutter, for five minutes.\n    Mr. Perlmutter. Thanks, Mr. Chair.\n    So my first question to you two is, how does Bell\'s theorem \nor the Drake theory apply to the breach? Oops, that was for the \nastrophysicist from a couple days ago. I apologize for that.\n    All right. I\'ll stop messing around.\n    Mr. Gruenberg. I was looking over at Fred----\n    Mr. Perlmutter. I\'ll stop messing around.\n    First, like Mr. Foster, I want to thank both of you for the \njob that the FDIC does. We came through a very difficult time, \n2008, 2009 and 2010, expected a lot--I expected more failures, \na lot of work between the insurance corporation and the banks \nto stabilize them and grow the economy. So the big picture, \nthank you very much.\n    All right. So now I\'m just going to go back to sort of how \nI can understand this, and there\'s been somebody who\'s a thief, \nhe\'s robbed you, and then the question is, what was taken, and \nwho and how many people have been robbed or otherwise hurt, and \nthen what are you going to do about it. So I assume in these \ndifferent instances, somebody--the robber, the thief is facing \nsome criminal liability of some sort or another. Am I wrong?\n    Mr. Gibson. Sir, we have a number of investigations that \nare currently open with regard to a number of the matters that \nwe\'re talking about here today. I don\'t know what the ultimate \noutcome of those will be but the goal was to determine whether \nthere is criminal responsibility that can be imposed on \nanybody, and if there is, we\'ll pursue it with our partners in \nthe Department of Justice.\n    Mr. Perlmutter. If I went back to my law firm and one of my \npartners or one of the staff took a file how would I respond? \nI\'d say give it back but the problem you all face is that when \nsomebody takes a file, they take a million files, and I think \nthat\'s the purpose of today\'s panel, to try to understand how \nfar and wide these things are, and how you\'re building your \ndefenses to that disgruntled employee or somebody who made a \nmistake and bang, it\'s all out there.\n    So you know, some of the questions, Mr. Chairman, have been \ndirected to you about reprimands within the organization to the \nguy who just took over and is trying to figure out where the \nvulnerabilities are and who were the thieves I don\'t understand \nwhy reprimanding him at this point makes any sense. But I do \nunderstand the Committee\'s concern that if the FDIC is somehow \nrobbed, that one, we need to check your defenses, but two, \nsomebody\'s going to pay for it, you know, Edward Snowden, so it \nisn\'t like you\'re all by yourselves getting robbed. I mean, the \nNSA, the CIA, the Office of Personnel, Anthem Blue Cross, \nTarget, Chase, you name it, everybody\'s been hacked. But you \nare the backstop for banks. So what are you doing to try to \nbuild up your defenses?\n    Mr. Gruenberg. Well, Congressman, in this set of \nincidences, for all of these breaches, just from a technology \nstandpoint, the underlying vulnerability, as I indicated, was \nallowing the use of so-called removable media--flash drives, \nthumb drives--which allowed an individual to download sensitive \ninformation on to a device like this and basically walk off \nwith it.\n    Mr. Perlmutter. All right.\n    Mr. Gruenberg. That was the--and we\'ve now, it\'s fair to \nsay, discontinued the use of those devices.\n    Mr. Perlmutter. Let me ask you this. The three of us are \nlawyers, all right? So how is it--I understand the \ninvestigations are proceeding, but if somebody takes off with a \nthumb drive, has any of this been put to nefarious use? Because \nif it has, then that guy should be under indictment or in jail. \nWhat really is happening there?\n    Mr. Gruenberg. On the criminal side, I really should leave \nit to the IG because that\'s the IG\'s responsibility. I think \nin--well, Fred, do you----\n    Mr. Gibson. So I guess the best way that I can answer that \nquestion is to say that we are pursuing cases where we believe \nthat there is a basis for bringing them and we\'re just not at a \npoint yet where we can disclose publicly exactly what the \nstatus of that case is, but yes, we are pursuing investigations \nin the specific areas you\'re concerned about.\n    Mr. Perlmutter. All right, well thank you, gentlemen. Thank \nyou for your service to the country, and I yield back.\n    Mr. Loudermilk. The Chair recognizes the gentleman from \nAlabama, Mr. Palmer.\n    Mr. Palmer. Thank you, Mr. Chairman. I have a slide, if we \ncould get that slide up, please?\n    [Slide.]\n    Very good. Thank you.\n    I want to walk through this with you. I\'m going to read \nthis transcript. You can read it if you can see it well enough \non the slide. This was between FDIC personnel in regard to the \nbreach, and it says, ``Just to be clear here for the record, \nthere was a penetration of the FDIC network system generally by \nan outside party that was malicious, right? Correct?\'\' and the \nanswer was, ``Yes.\'\' And the FBI alerted the FDIC, the \nappropriate people within the FDIC, that this was the case, and \none of the potential fixes or appropriate actions was to shut \ndown or turn off the entire FDIC system to eradicate the \nintruder, and the answer was yes, that was recommended. Okay, \nnow after that, it was--the FDIC employee said, ``Now, after \nthat, it was kept--I\'m out of the loop except for Ned came into \nmy office to tell me that this incident that Russ Pittman said: \nThis can\'t get out here, this breach information. We can\'t do \nanything to jeopardized\'\'--that\'s their word--\'\'the chairman \ngetting, when they vote, getting approved for because it\'s\'\'--\nand the questioner, ``A Senate-approved position? Confirmed.\'\' \n``Yes.\'\' You can take down the slide.\n    Mr. Gruenberg, are you aware that the FDIC employee \nattempted to cover up the fact that a foreign nation hacked \ninto FDIC systems in an effort not to jeopardize your \nconfirmation as chairman by the U.S. Senate?\n    Mr. Gruenberg. No, sir.\n    Mr. Palmer. You are not aware of that?\n    Mr. Gruenberg. No, sir.\n    Mr. Palmer. You\'ve never been made aware of it?\n    Mr. Gruenberg. Never, sir.\n    Mr. Palmer. Are you concerned that the----\n    Mr. Gruenberg. There was a report that came out yesterday. \nThat was the first that I had been made aware.\n    Mr. Palmer. So no one within the FDIC discussed this with \nyou even before the hearing that this might come? The first \ntime you saw it was yesterday in the media?\n    Mr. Gruenberg. Yes, and when that--the committee interim \nreport was released and there was a reference to it. That was \nthe first I became aware of it.\n    Mr. Palmer. So you testified that you\'ve never--you did not \nhear that before yesterday?\n    Mr. Gruenberg. No, sir.\n    Mr. Palmer. Okay. Are you concerned that the FDIC officials \nattempted to shield details of the incident from knowledge of \nthe individuals outside the FDIC including the Inspector \nGeneral until after your confirmation? Does that concern you?\n    Mr. Gruenberg. I understand this was represented. I can\'t \nspeak to the accuracy----\n    Mr. Palmer. We can give you a copy of the transcript.\n    Mr. Gruenberg. I understand, but, you know, it--I can\'t \nspeak to the accuracy. If it was accurate, certainly.\n    Mr. Palmer. When did you first learn that the breach \noccurred?\n    Mr. Gruenberg. Well, this goes back to an incident in 2010 \nand 2011, I believe.\n    Mr. Palmer. Were you aware of it then?\n    Mr. Gruenberg. I was made aware of it, I believe, for the \nfirst time in 2011, and as you may be aware, our Inspector \nGeneral--undertook an investigation of this and issued a report \nin 2013. I believe the finding of the report as I indicated in \nmy opening statement, is that in regard to this incident, both \nmyself and other members of the Board and senior executives \nwere not fully informed.\n    Mr. Palmer. I\'ve got a couple other questions. Are you \nconfident that the FDIC\'s current cybersecurity posture can \nprevent a similar breach from occurring? It\'s a yes or no.\n    Mr. Gruenberg. If I may, as the--I think we are improving \nour systems. I think--I want to say in light of OIG reports--I \nthink it\'s fair to say we are working hard to address the \nissues identified. So I don\'t want to----\n    Mr. Palmer. So you\'re not totally certain that it\'s secure?\n    Mr. Gruenberg. I think----\n    Mr. Palmer. Let me ask you this----\n    Mr. Gruenberg. Congressman----\n    Mr. Palmer. --in the context of how these breaches \noccurred, if I may, does the--where the employees taking \ninformation on their way out after they\'ve left employment, \ndoes the FDIC have an employee handbook manual?\n    Mr. Gruenberg. I would have to check but I believe--I \nassume we have something like that.\n    Mr. Palmer. Based on that answer, I would assume you \nhaven\'t read it.\n    Mr. Gruenberg. I can\'t say I\'ve looked at it, sir.\n    Mr. Palmer. I think it might be a good idea if you became \nfamiliar with it and make sure that you have a policy in there \nthat is clear that it is prohibited for any employee upon \nleaving their employment that they cannot take any information \nwith them, and I think if that had been clearer, that might not \nhave happened. It may have happened anyway, particularly with a \ndisgruntled employee.\n    Mr. Gruenberg. Congressman, if I may say, I do believe \nthere is such a requirement so that when an employee leaves the \nagency, they have to sign a statement to that effect.\n    Mr. Palmer. They do?\n    Mr. Gruenberg. Yes.\n    Mr. Palmer. Well, were these people prosecuted? Because \nthat\'s a prosecutable offense.\n    Mr. Gruenberg. That\'s what the IG is looking into, I \nbelieve.\n    Mr. Palmer. Okay. Let me say this, Mr. Chairman, and I\'ll \nwrap it up.\n    I find it interesting that some at the FDIC apparently \nthought your confirmation as Chairman was more important than \ntaking immediate action to protect almost 31,000 banks and \n160,000 individuals, as it turns out the total here. It\'s as \nthough these banks and their depositors and customers were \nacceptable losses, collateral damage, to ensure that you \nwould--there would be no obstacles to your confirmation. That \nconcerns me. That is indicative of some political calculations \nwithin the FDIC that in my opinion were totally inappropriate. \nI yield back.\n    Mr. Loudermilk. I thank the gentleman.\n    Mr. Gruenberg, as you\'re aware, this hearing is about \nsecurity breaches, cybersecurity breaches, and your efforts to \nmitigate future breaches, but I\'m growing more concerned of the \nlack of preparation because quite often, many times in most \nevery witness, you\'ve said let me get back to you on that, and \nin one case, what really concerns me, you said you may get back \nto us with that----\n    Mr. Gruenberg. I\'ll get back on every point, sir. I didn\'t \nmean to----\n    Mr. Loudermilk. Oh, okay. That helps a little bit. But also \ngetting a little more concerned, we don\'t expect you to know \nthe answer to every intricacy in there but not knowing whether \nyou even have a policy handbook is concerning, and a lack of \nstaff here as advisors with you is--may lead some to believe \nthat maybe you weren\'t as prepared or take this as seriously as \nwe think you should.\n    With that, I recognize the gentleman from Virginia, Mr. \nBeyer, for five minutes.\n    Mr. Beyer. Thank you, Mr. Chairman.\n    I believe we can all agree that the FDIC has suffered from \nsome serious data breaches and that some of their responses to \nthe Committee were initially not complete and that the original \nanalysis of these major data breaches by senior FDIC officials \nwas not adequate or fully accurate. However, I don\'t agree that \nwe can or should infer from the facts that the Committee has \ngathered to date as the Majority has clearly done that \nindividual FDIC employees intentionally lied to this Committee \nor have engaged in deliberate obstruction of this Committee\'s \ninvestigation.\n    Unfortunately, the Majority appears to have selectively \npulled some information that helps them paint that narrative. \nThey ignore some records and have intentionally not interviewed \ncertain witnesses who may have presented a fuller understanding \nof the agency\'s actions that the Majority has called into \nquestion.\n    As one key example, the Majority staff report refers to one \nFDIC official who the report stated, ``deliberately tried to \nprevent FDIC attorneys from creating records that would be \nresponsive to the Committee\'s request in this investigation.\'\'\n    But the initial request not to create emails regarding \ncertain investigations of the agency\'s investigation was \ndocumented in an email from one FDIC employee on October 29, \n2015, which was long before the Science, Space, and Technology \nCommittee began an investigation, long before we were even \naware of the breach.\n    So while this email raises legitimate questions about why \nFDIC employees were directed not to put certain information in \nemails--that\'s certainly inexcusable--it occurred one day \nbefore the OMB memo 1603 was issued and 4 months before the \nCommittee even became aware of the data breach at the FDIC. So \nto suggest this direction was part of an effort to obstruct the \nCommittee\'s investigation makes no sense, is frankly misleading \nwhen you examine all the records the Committee has obtained.\n    So I\'d like to seek unanimous consent to enter this email \nof October 29, 2015, into the record.\n    Mr. Loudermilk. Without objection, so ordered.\n    [The information appears in Appendix II]\n    Mr. Beyer. Thank you, Mr. Chairman, and Mr. Chairman \nGruenberg, I read carefully--I listened to you but I also read \nthe 15-page statement that you submitted for the record, and I \njust wanted to thank you for not the disasters before but for \ntaking full responsibility, for trying to be as clear and \ntransparent as possible, for coming together with a \ncomprehensive plan which takes up most of that 15 pages, and \nnear as I can tell, fulfilling all of the Inspector General\'s \nrecommendations. I thought Chairman Smith\'s opening question, \nwhich is to the Inspector General, are you as the leader of the \nFDIC doing everything that they recommended, and let me, \nInspector General, ask you that one more time to make sure that \nwe\'re all on the same page.\n    Mr. Gibson. Sir, they gave us a series of responses to our \nrecommendations that we consider to be responsive. What we\'ll \nbe doing is, we\'ll be following up to monitor the \nimplementation of the things that the FDIC has indicated they \nwill do and to determine whether they\'ve been effective.\n    Mr. Beyer. Great, great. We would only expect that you \nwould continue to make sure that the chairman and his team \nfollows through on the recommendations you\'ve made.\n    Mr. Chairman, in the back and forth with my good friend \nfrom Alabama, where you were taking some heat about the \nemployees who were shielding you through the nomination \nprocess, were you aware that they were shielding you, and did \nyou take any personnel action once you became aware?\n    Mr. Gruenberg. I certainly was unaware, Congressman, as I \nindicated. I learned about it for the first time yesterday, and \nI just would be cautious. I understand it was asserted by an \nindividual in an interview, but there hasn\'t been a review of \nwhat actually occurred here, so I\'d be cautious, you know, \nabout the accuracy of the representation.\n    Mr. Beyer. Okay. Good. Thanks. But you certainly would \nagree that this is inappropriate?\n    Mr. Gruenberg. Oh, no question, if indeed it\'s true.\n    Mr. Beyer. Yeah. Thanks. Much has been made about the seven \npeople that took the records out, the excess of 10,000 per \nperson. What is the long-term follow-up plan to make sure that \nthe data breaches have no ongoing effort? You know, sometimes \nthe records are stolen by whomever, and it could be 2, 3, four \nyears before they try to apply for a credit card or a car loan \nor something like that.\n    Mr. Gruenberg. Well, as a threshold, I think we\'re \naddressing the technological vulnerability related to the \nremovable media that sort of underlay each of these incidences, \nso hopefully as a threshold, that\'ll be helpful in addressing \nit. We\'ll also be implementing policies and procedures to \ncarefully monitor any activity and have a very strong system of \ncontrols relating to any employee who may be separating from \nthe agency.\n    Mr. Beyer. But I\'m specifically concerned about the records \nthat were already out there, not breaches still to happen but \nbreaches that already did occur.\n    Mr. Gruenberg. Yeah. For the ones that have been \nidentified, and we have recovered the devices, we can\'t say \nwith certainty that there was no dissemination. I don\'t know \nthat we can ever demonstrate that conclusively. At least thus \nfar, we haven\'t had evidence of dissemination.\n    Mr. Beyer. Okay. Great. Thank you, Mr. Chairman.\n    Mr. Chairman, I yield back.\n    Mr. Loudermilk. I thank the gentleman from Virginia, and \nMr. Gruenberg, since you are going to get back with us on some \nthings, would you please provide this Committee the copy of the \nhandbook that was mentioned earlier?\n    Mr. Gruenberg. Yes.\n    Mr. Loudermilk. Also, notice to the members of the \nCommittee, we do intend on doing another round of questioning \nfor those--this is an important matter. We\'ll make sure \neveryone gets their ample opportunity to ask their questions.\n    With that, I recognize the gentleman from Louisiana, Mr. \nAbraham, for five minutes.\n    Mr. Abraham. Thank you, Mr. Chairman.\n    Mr. Gruenberg, when did you first become aware of the \nFlorida incident where 10,000 people\'s records were \ncompromised? When did you become aware?\n    Mr. Gruenberg. I think I was informed in-- the incident \noccurred on October 15th. It was identified on October 23rd. I \nbelieve I was notified for the first time in November, I think \nNovember 19th.\n    Mr. Abraham. So about a month?\n    Mr. Gruenberg. Yes, sir.\n    Mr. Abraham. What was your role in deciding whether to \nreport that to Congress or not?\n    Mr. Gruenberg. I didn\'t. As the IG noted in its report, I \ndidn\'t have a role in that.\n    Mr. Abraham. So I mean, you couldn\'t have been proactive? \nOr could you have been proactive in reporting that to Congress \nif you so chose?\n    Mr. Gruenberg. It was a judgment made by our CIO working \nwith the data breach management team----\n    Mr. Abraham. And that was the gentleman that took the hand \non November 2nd?\n    Mr. Gruenberg. Yes, sir.\n    Mr. Abraham. And I understand that he was new to the job \nand he has been in the job eight or nine months and that he\'s \nlearning the job but, you know, I might suggest this is not an \non-the-job training job. He should have come very well vetted \nand prepared to do the job on day one. So it does concern me \nthat, you know, we\'re taking this type of attitude--well, he\'s \nlearning the job, so to speak, and you know, we hate it that he \nwas thrown into the fire that early. I mean, if he would have \nbeen thrown into the fire the day he got on the job, he should \nhave been able to do the job.\n    Mr. Gruenberg. It\'s a fair point, Congressman. He came, as \nyou can--if you reviewed his bio--with considerable experience \nin this area. I was referring to his learning a new agency.\n    Mr. Abraham. Well, I understand that, but again, these are \nquestions you ask in a pre-employment brief, and he knew the \njob before he took the job.\n    Did you ever resist the OIG\'s suggestion to report the \nFlorida incident as a major incident to Congress?\n    Mr. Gruenberg. No, Congressman.\n    Mr. Abraham. Okay. Mr. Chairman, I yield back.\n    Mr. Loudermilk. The Chair recognizes the gentleman from \nOhio, Mr. Davidson, for five minutes.\n    Mr. Davidson. Thank you, Mr. Chairman. Thank you both for \ncoming here, and I appreciate the work that you do. The FDIC \ndoes have a nice track record of success in securing our \nfinancial institutions. I\'m very concerned about the recent \nrecord of securing our data which is at stake, so thank you for \ntaking that seriously.\n    And one of the questions I\'ve got going back to this \nFlorida incident, Mr. Gibson, did your staff find that the \nFDIC\'s representations of the Florida breach were inadvertent, \nnon-malicious, and the breacher was cooperative? Did you find \nthose as accurate statements?\n    Mr. Gibson. No, sir, we wouldn\'t agree with that.\n    Mr. Davidson. Mr. Gruenberg, why would your staff provide \nthat information during the Committee\'s briefing to Congress \nthat they were simply trying to understand how it actually \noccurred?\n    Mr. Gruenberg. Congressman, I believe--and I understand the \nIG\'s perspective on this. I think the assessment made rightly \nor wrongly by our CIO in conjunction with other staff in the \nLegal Division was that it was inadvertent. It may have been a \nmisjudgment but that was the judgment--the conclusion that was \nreached.\n    Mr. Davidson. And just to restate it, I think it\'s been \ncovered, but to be very clear, the individual at the center of \nthis was not cooperative and was--since it was not inadvertent. \nIt was therefore advertent. It was non-malicious, therefore, it \nwas malicious. Has there been any action taken against this \nindividual?\n    Mr. Gruenberg. Well----\n    Mr. Gibson. Sir, she\'s a former employee, so from the \nFDIC\'s perspective, I assume there really isn\'t any action that \nthey\'re able to take, and again, all I can say with respect to \nour ongoing work is that there are a number of matters that \nwe\'re looking at that haven\'t reached the stage where we can \ndiscuss it publicly.\n    Mr. Davidson. You don\'t feel that there\'s a crime that has \nbeen committed here?\n    Mr. Gibson. Sir, whether I feel there\'s a crime or not \nprobably isn\'t the issue. The question is whether an individual \nwas engaged in behavior that the Department of Justice would \nagree constitutes a crime and they can bring an indictment \nagainst someone.\n    Mr. Davidson. We\'ve seen that seems to be a pretty high bar \nlately.\n    What would happen--you guys cover our banks and our \nfinancial institutions, and really audit many of these same \ntransactions. So what would happen if a financial institution \nhad a similar data breach?\n    Mr. Gruenberg. I asked that question, Congressman. I \nthink--a couple of things. They would have to identify the harm \nor risk of harm, they would have to notify customers that are \nimpacted if there is a risk of harm, and there would be an \nexpectation that they would notify their regulator.\n    Mr. Davidson. And they would be very clear under Dodd-Frank \nin particular that they would notify you, correct?\n    Mr. Gruenberg. I believe it\'s actually under the Graham-\nLeach-Bliley Act that there was a provision relating to this.\n    Mr. Davidson. Right. And how would--how would you react if \na financial institution provided patently false information to \nyou during your investigation? What sort of course of action \nwould you have in following up with that institution?\n    Mr. Gruenberg. I think the procedure would be that there \nwould be a follow-up at the next examination. We would review \nthe handling of the case. We would review their systems, to see \nwhether there was, you know, a failure. If there was evidence \nof intentionality in terms of not reporting that, that would be \nan additional matter we\'d have to take into consideration.\n    Mr. Davidson. What sort of signs would you look for to say \nthat they were actually taking the matter seriously? Would you \nconsider it serious if they kept all the same personnel and \npractices in place?\n    Mr. Gruenberg. I think the threshold--and again, I\'m not an \nexaminer, but I\'ll just try to respond--I think would be what \nsystems do they have in place and the effectiveness of those \nsystems to deal with these kinds of issues.\n    Mr. Davidson. Here\'s the concern I\'ve got coming into the \nmeeting, and frankly, only made worse during the conversations, \nis that we\'re focusing on one or two individuals, and really, \nthe IT department at your agency can\'t be as strong as one new \nemployee. You\'ve got a robust staff, and so I\'d be curious to \nknow what sort of recommendations and dialog and, frankly, from \nthe whistleblower information, it seems like there\'s really not \na lot of support for some of the direction your new CIO is \ngoing. And that doesn\'t mean that there\'s--that it\'s accurate, \nto your point. I appreciate your desire to look into it. But \nI\'d also ask you to look into the culture because, frankly, it \nsounds like this culture is perhaps maybe partisan cover-ups \nand maybe just concern that it\'s impossible to fail. There\'s a \nlot of pressure to perform, and so there\'s cover-ups there, and \nso a culture that doesn\'t provide the kind of transparency is \nnot likely to be able to deliver the kind of results that your \nmission requires, and so I\'m very concerned about that.\n    Thank you. I yield back, Mr. Chairman.\n    Mr. Loudermilk. The Chair recognizes the gentleman from \nIllinois, Mr. LaHood, for five minutes.\n    Mr. LaHood. Thank you, Mr. Chairman, and I want to thank \nboth of you for being here today. I appreciate it very much.\n    I guess I want to just focus a little bit on some of the \ntranscript interviews that have been conducted with FDIC \nemployees seem to indicate that there has been a concerted \neffort by the legal department at FDIC on instructing employees \non how to respond when it comes to cybersecurity breaches as it \nrelates to emails, and it seems like a real effort, Mr. \nGruenberg, to limit the exposure to Congressional and FOIA \nrequests, and that\'s really concerning to the Committee and to \nus because what that leads us to believe, or me to believe, is \nthat you\'re hiding facts or circumstances surrounding these \nbreaches, and particularly when it comes from the legal \ndepartment because that\'s who your employees rely upon in your \ndepartment, and I guess just from a foundational standpoint in \nlooking at these very serious cybersecurity breaches, Mr. \nGruenberg, do you take transparency seriously at the \ndepartment?\n    Mr. Gruenberg. Yes, Congressman.\n    Mr. LaHood. And are you committed to working with this \nCommittee and the Inspector General to prevent breaches in the \nfuture?\n    Mr. Gruenberg. Yes, very much so.\n    Mr. LaHood. And as Chairman of the FDIC, you speak on \nbehalf of the Agency. Is that correct?\n    Mr. Gruenberg. Yes, but just acknowledging I have a board \nthat I have to consult and work with as well.\n    Mr. LaHood. And can you--I want to get into a couple of \nthese interviews that were done. Can you give us--you\'re a \nlawyer, correct?\n    Mr. Gruenberg. Yes, sir.\n    Mr. LaHood. And in fact, you served as Senior Counsel to \nthe Senate Banking Committee, correct?\n    Mr. Gruenberg. Yes, sir.\n    Mr. LaHood. So the legal department instructing FDIC \nemployees not to discuss matters related to cybersecurity and \nbreaches, why was that being done?\n    Mr. Gruenberg. I understand that was represented in the \nreport. If I may, let us look into it and come back to you on \nit.\n    Mr. LaHood. Well, that\'s hard to take that answer when your \nlegal department is giving that advice.\n    I want to direct your attention to a specific transcript. \nIt\'s up on the screen there. This is an excerpt for--these are \nquestions that were asked, and the nice thing about transcripts \nis, it gives us the questions and the answers that were given. \n``Are you aware of any instructions given by anyone at the FDIC \nto not discuss certain subject matters in an email?\'\' That\'s \nthe question. Answer: ``Yes.\'\' Question: ``Could you shed a \nlittle light on that?\'\' That\'s the question. Answer: ``I \nreceived the same instructions directly from Roberta McInerney, \nand Roberta McInerney\'s instructions to me were, quote, "Do not \ndiscuss deliberations over the applicability or implications of \nOMB 1603 in an email.\'\'" Question: ``You mentioned that \ninstructions from Roberta McInerney gave to you. Was that \ndirectly to you?\'\' Answer: ``Yes. Roberta McInerney gave those \ninstructions directly to me.\'\'\n    So I look at that from employees, and that seems to be a \npattern here. Were you aware that she was giving those \ninstructions to FDIC employees?\n    Mr. Gruenberg. No, I wasn\'t, Congressman.\n    Mr. LaHood. When you found out she was doing that, what did \nyou do?\n    Mr. Gruenberg. This was represented, I gather, in an \ninterview by one of our employees with the Committee, and so it \nis now something that we will----\n    Mr. LaHood. When did you become aware of it?\n    Mr. Gruenberg. I know it was contained in the report that \nwas released yesterday. There may have been emails that we \nprovided, so I\'d have to check specifically, but that\'s \nsomething we will have to----\n    Mr. LaHood. When did you become aware that she was doing \nthis?\n    Mr. Gruenberg. I can\'t tell you specifically. I\'d have to \ngo back and check the record.\n    Mr. LaHood. Would you--I mean, just can you give us a time \nframe? Would it have been two months ago, a month ago?\n    Mr. Gruenberg. It would have been--I really have to check \nbut it would have been--I\'d have to look at the production that \nwe made to the Committee when we----\n    Mr. LaHood. I\'m asking for a time frame when you became \naware that she was instructing employees to do this.\n    Mr. Gruenberg. I would assume in the last few weeks but I\'d \nhave to check on it.\n    Mr. LaHood. When you found that out, what did you do?\n    Mr. Gruenberg. We haven\'t taken any action on it yet, sir.\n    Mr. LaHood. So when you found out, you have not done \nanything?\n    Mr. Gruenberg. Not thus far.\n    Mr. LaHood. Were you complicit in those instructions?\n    Mr. Gruenberg. No, sir.\n    Mr. LaHood. Did you ever advise employees in your \ndepartment to do what Roberta McInerney did?\n    Mr. Gruenberg. No, sir.\n    Mr. LaHood. Does every employee at the FDIC take an oath of \noffice?\n    Mr. Gruenberg. I believe so.\n    Mr. LaHood. I want to put up on the screen there the oath. \nI believe this is the oath that\'s taken by employees. I believe \nyou took this oath and everybody else there. You\'re familiar \nwith that, correct?\n    Mr. Gruenberg. Yes, sir.\n    Mr. LaHood. And do you believe that your employees are \nabiding by that oath of office?\n    Mr. Gruenberg. I believe so.\n    Mr. LaHood. And can you certify to the Committee that all \nyour employees are abiding by this oath?\n    Mr. Gruenberg. I don\'t know that I have the capacity to do \nthat.\n    Mr. LaHood. Thank you. Those are all my questions, Mr. \nChairman.\n    Mr. Loudermilk. I thank the gentleman from Illinois, and I \nalso may add that the questions by Mr. LaHood is corroborated \nby the email that was entered into the official record by Mr. \nBeyer that this was indeed happening, so I thank the gentleman \nfrom Virginia for that.\n    I now recognize the gentleman from Texas, Mr. Weber, for \nfive minutes.\n    Mr. Weber. Thank you, Mr. Chairman. That was an interesting \ndiscussion between you and Mr. LaHood, Mr. Gruenberg. I might \ngive you some unsolicited advice. You can actually download the \nmanual onto a thumb drive and walk out with it probably as some \nother things too if you want.\n    Did you become aware of that information before the report \nwas released, you talked about yesterday, you said a few weeks?\n    Mr. Gruenberg. I\'d really need to check just to be sure I \ngive you accurate information.\n    Mr. Weber. Well, that\'s very, very interesting.\n    You have--you said earlier in a discussion with Randy \nNeugebauer in an exchange that you were careful about \nrepresenting yourself as being with technology or something to \nthat effect. So who would--you\'re aware that the Insider Threat \nprogram is aimed at identifying potential employees. Since \nyou\'re not a technology person, who advises you on that \nprogram?\n    Mr. Gruenberg. The--we have both the CIO and our Division \nof Administration is responsible.\n    Mr. Weber. Okay. Is that program contained in the manual? \nYou probably don\'t know because you haven\'t read the manual.\n    Mr. Gruenberg. No, that\'s--I don\'t believe--it\'s a program \nwe\'re in the process of establishing.\n    Mr. Weber. So it was established at one point but you \nhalted it?\n    Mr. Gruenberg. No, it was in the process of being \ndeveloped.\n    Mr. Weber. So it was being developed and you halted the \ndevelopment?\n    Mr. Gruenberg. Well, I believe the term used in the IG\'s \nreport was ``stall.\'\' I think there was a process of developing \nthe program over a period of time. My understanding of what \noccurred is that there was a lack of follow-through in bringing \nit to completion.\n    Mr. Weber. Who advises you on that program\'s progress or \nlack thereof?\n    Mr. Gruenberg. It would be, I think, both our Division of \nAdministration and our CIO.\n    Mr. Weber. Can you give us the name?\n    Mr. Gruenberg. I can get those for you, sure.\n    Mr. Weber. So you didn\'t have any discussion with \nindividuals that you know the name of that said look, the \nprogram needs to be halted?\n    Mr. Gruenberg. Oh, no, no. I think there\'s--no, sir.\n    Mr. Weber. So you just halted it on your own without \nconferring with anybody?\n    Mr. Gruenberg. No, as I indicated, my understanding is that \nthe program was in development and it was not brought to \ncompletion in a timely way.\n    Mr. Weber. So who halted that program?\n    Mr. Gruenberg. As I said, I don\'t know that it was halted. \nI think the term used in the IG\'s report----\n    Mr. Weber. Okay. So who--it quit being developed. Now we\'re \nparsing words.\n    Mr. Gruenberg. I think it never stopped being developed. I \nthink it slowed down. It wasn\'t brought to fruition in a timely \nway.\n    Mr. Weber. But nobody advises you on this program?\n    Mr. Gruenberg. I think both the Division of Administration \nand the CIO----\n    Mr. Weber. But you\'d have to have one person who was an IT \nexpert, right, that actually knew that program inside and out \nand could come report to you?\n    Mr. Gruenberg. We have a security group in our Division of \nAdministration that I think is the lead on that.\n    Mr. Weber. Who do they report to?\n    Mr. Gruenberg. They would report to the Director of the \nDivision.\n    Mr. Weber. And who would that Director of that Division \nreport to?\n    Mr. Gruenberg. The Director reports to our Chief Financial \nOfficer.\n    Mr. Weber. And who would that Chief Financial Officer \nreport to?\n    Mr. Gruenberg. To me.\n    Mr. Weber. To you. And you had no communication up that \nline to talk about that program and it needed to be stopped \nbeing developed or halted or whatever parsed word we want to \nuse?\n    Mr. Gruenberg. No, sir.\n    Mr. Weber. No communication whatsoever?\n    Mr. Gruenberg. No, I was briefed on the program, and it was \nan understanding that we wanted to develop it in a careful way.\n    Mr. Weber. And you were briefed by who?\n    Mr. Gruenberg. By the individuals I mentioned.\n    Mr. Weber. And the names?\n    Mr. Gruenberg. The Director of our Division of--I\'d have \nto--I should check, you know, who participated in the briefing \nto be sure I----\n    Mr. Weber. But you did name two, Director of the Division \nand the CFO, I think.\n    Mr. Gruenberg. Yeah, I would want to just check for \naccuracy as to who took part in the briefing just to be sure.\n    Mr. Weber. So you\'re not sure that either one of those \npeople briefed you?\n    Mr. Gruenberg. I believe they did. I just want to check the \nrecord to be sure I\'m giving you accurate information.\n    Mr. Weber. Okay. And you can get back to us in writing with \nthat?\n    Mr. Gruenberg. Certainly.\n    Mr. Weber. Mr. Gibson, do you understand the Insider \nThreat--maybe you could brief Mr. Gruenberg. Do you understand \nthe Insider Threat program?\n    Mr. Gibson. I try to.\n    Mr. Weber. Okay.\n    Mr. Gibson. Do I understand it? Yeah, I mean, the basic \npurpose of the program----\n    Mr. Weber. Do you know why it was halted last fall, or \nnot--``halt\'\' is not the right word--no longer developed?\n    Mr. Gibson. We had a discussion about that a little earlier \nin the hearing today, and, you know, basically we\'ve heard two \nreasons for that. You know, management believed that the \nprogram was moving too far, too fast, too quickly, that it \nneeded to, you know, develop some standard operating procedures \nand processes and so forth. The people who were a lower level \nof the organization believed that they were essentially told \nstop, and----\n    Mr. Weber. Is there communication about that? When you said \nthey believed they were told to stop, was there communication \nabout that we can get?\n    Mr. Gibson. There were a couple of briefings, as I recall.\n    Mr. Weber. Any emails?\n    Mr. Gibson. None that I\'m aware of, sir.\n    Mr. Weber. Okay. Would you recommend that it be unhalted or \nun--whatever the term you want to use?\n    Mr. Gibson. I think the most significant recommendation in \none of the audits that we\'ve completed is that the FDIC \nestablish a formal Insider Threat program.\n    Mr. Weber. Okay. Chairman, did you say there\'s going to be \na second round of questioning?\n    Mr. Loudermilk. Yes, we will, until we get through everyone \nor votes are called, which we anticipate is going to be about \n40 to 45 minutes.\n    Mr. Weber. Well, then I\'ll go ahead and yield back. Thank \nyou.\n    Mr. Loudermilk. The Chair recognizes the gentleman from \nIllinois, Mr. Hultgren, for five minutes.\n    Mr. Hultgren. Thank you, Mr. Chairman. Thank you both for \nbeing here.\n    Mr. Gibson, I want to commend your good work on these audit \nreports. Your team has done an outstanding job.\n    Mr. Gibson. Thank you, sir.\n    Mr. Hultgren. I want to point out, however, that the FDIC \nhas been without a Senate-confirmed Inspector General for over \na thousand days. Since September 2013, there\'s only been an \nActing Inspector General. Congress, the House in particular, \nrelies on the IGs to be independent watchdogs. To a certain \nextent, they are our eyes and ears within the department or \nagency.\n    Mr. Gibson, would having a Senate-confirmed IG empower your \noffice, and if so, how so?\n    Mr. Gibson. Sir, I think under the IG Act, the idea of a \nSenate-confirmed IG is to create a position with significant \nindependence within the agency and the ability to handle things \nin a totally independent manner. I mean, all I can say is, \nwe\'ve done our best to preserve our independence through this \nperiod of time, and I believe we have.\n    Mr. Hultgren. I appreciate that.\n    The Committee has learned that the Agency has access to \nyour Office of Inspector General emails in some cases as well \nas emails between your office and the informants you may have \nwithin the agency. Does this raise concerns for you? What, if \nanything, is the agency doing to remedy the comingling of \nemails?\n    Mr. Gibson. So it raised significant concerns for us when \nthe subject was brought to our attention. Now, it\'s not all \nemail. There are pockets of email that appear to have been \nexposed to a program that enables it to be searched. In fact, \nit was discovered in the FDIC\'s search of its email vault in \nresponse to this Committee\'s request for information. They are \nemails that involve certain members of our staff that involve \ncertain periods of time. We\'ve been working closely with the \nDivision of Information Technology at the FDIC to identify the \nemails that are there, to segregate them, to prevent them from \nbeing found through the course of the use of that. We\'re \nlooking at logs to determine who\'s looked at those emails. \nWe\'re conducting a good deal of independent work to provide \nourselves with as much assurance as we can about the security \nof that stuff. I\'d be happy to describe that in more detail. I \ndon\'t want to take all of your time.\n    Mr. Hultgren. No, I\'d like to hear more about it. I mean, \nthis is really the focus of my question. So I mean, if--and \nreally, what we can do. I\'m concerned about this. Again, I \nthink is an important service tool, something that we need, and \nso I\'m concerned of some of the--what I see as negative impact \nthat could come from this, so I\'d love to hear from you \nsuggestions of what we can do, what you\'re doing to make sure \nthat your work is protected and the integrity is strong.\n    Mr. Gibson. One of the things that we are doing is we\'re \nbringing in an independent group to advise us, you know, and to \nprovide us with independent assurance that the steps that have \nbeen taken to mitigate this issue are correct, that the search \nlogic and the search efforts that we have undertaken to be sure \nthat we know exactly the scope of all of the problems that we \nhave have been fully identified and again remediated.\n    I think that on a longer-term basis, what this leads us to \nis questioning where our IT environment should be located. We \nwant to take our time in answering that question because \nobviously there are large implications for our office both from \na staffing standpoint and a financial standpoint, if nothing \nelse but balancing that against the need for at least the \noutward aspects of independence that are implicated when the \nsuggestion can be made that somebody\'s taking a look at email. \nThere\'s a lot of issues for us to balance in this, and we\'re \ntrying to do it quickly, but we want to be sure we do it in a \nvery thoughtful manner.\n    Mr. Hultgren. I appreciate that. We certainly want that, \nbut we also want to hear from you as you are coming to \nconclusions of how do we do this well, how do we make sure that \nwe\'re assisting in this again to make sure that as best as we \ncan the information we\'re getting from your office we know \nisn\'t affected, compromised, being seen before we have a chance \nto----\n    Mr. Gibson. Absolutely, sir, and we completely understand \nand agree with that, and I\'ll be more than happy to provide you \nor staff with whatever information we can as we move through \nthis process just to keep you updated on the things that we\'re \ndoing and what we think that we need to do.\n    Mr. Hultgren. Great. Thank you.\n    With that, I yield back, Chairman. Thank you.\n    Mr. Loudermilk. I thank the gentleman.\n    Mr. Gibson, thank you for that. I think that shows \nforesight and planning and being proactive, not just reactive \nto these types of steps, and I think that\'s the type of thing \nthat we would be looking for.\n    With that, I recognize the gentleman from California, Mr. \nRohrabacher, for five minutes.\n    Mr. Rohrabacher. Thank you very much, Mr. Chairman, and let \nme apologize. Earlier on in the hearing, I was at a markup, and \nquite often we have two or three responsibilities happening at \nthe same time, so maybe I\'ll try to go to more of a--rather \nthan go into details, I could get some analysis view of the \nactual basis, the fundamental issues of what we\'re talking \nabout.\n    We\'re discussing computers that were hacked by the Chinese \nor other entities between 2010 and 2013 of the Federal Deposit \nInsurance Corporation. What harm could come of the fact that \nyou have other entities and the Chinese hacking into your \ncomputer system? What harm would that cause?\n    Mr. Gibson. Sir, is that question directed----\n    Mr. Rohrabacher. Whoever.\n    Mr. Gibson. It can cause significant harm obviously. I \nmean, there\'s a significant volume of information that\'s \navailable in the FDIC\'s IT environment, a great deal of \nsensitive information, whether it\'s privacy-related information \nor information related to----\n    Mr. Rohrabacher. Maybe you can give me an example of \nsomething harmful that could come from that.\n    Mr. Gibson. Well, for example, there are large volumes of \ninformation about specific financial institutions. Let\'s take \njust the Dodd-Frank resolution plans. There are non-public \nsegments of those documents. That information could be \nextremely valuable to an adversary, and it may be something \nthat could be targeted by someone.\n    Mr. Rohrabacher. So if we have Chinese hacking into our \nsystem, what you\'re saying is that because they were--this was \nhappening, perhaps American businesses that are doing business \nhere and in China who are facing competitors or facing \nadversaries, economic adversaries, that the American companies \nbecause we are complying with the information required of us by \nthe Federal Government could be put in economic jeopardy?\n    Mr. Gibson. Sir, in theory, there\'s risk there, yes.\n    Mr. Rohrabacher. All right. So this really could add up to \nvery great harm done to Americans financially, both American \ncompanies, perhaps some individuals as well who have invested \nin those companies.\n    Now, we\'re being told that of course now that the FDIC was \nless than forthcoming about this. Now, I seem to remember those \ndays. We were told over and over and over again about the \nimportance of not getting--of being hacked into and \ncybersecurity was something we talked a lot about, but yet we \nnow are, from what I\'ve heard even now and read so far about \nthe hearing is the FDIC was less than forthcoming to Congress \nabout what was going on, and in fact, we were not informed and \nintentionally uninformed of this.\n    So let me just note for the record, Mr. Chairman, that this \nattitude that we\'re talking about that pervaded, that actually \nmade people make their decisions based on an attitude that \nprevailed at the FDIC is, number one, of course something that \nis unacceptable, but I see that as part of a trend in this \nAdministration.\n    Listen, I worked in the Reagan White House and it was very, \nvery clear that what happens at the very highest level of an \nadministration creates the attitude and the standards that go \nright on down to the departments and agencies. So let me just \nsuggest, and what I\'ve heard so far, and what this indicates is \nthat there\'s been a pattern of obfuscation in this \nAdministration, not only on this issue but others. There\'s been \na pattern of stonewalling and covering up mistakes and \nwrongdoing, and these things cannot be just shrugged off. These \nare things that have to be taken seriously, especially when as \nwe are noting now that there is actual damage to the American \npeople where actually some people we could have billions of \ndollars\' worth of financial harm done by information that\'s \nsupposed to be secret information, confidential information, \nbut is now being ignored when our economic enemies actually get \ntheir hands on the information.\n    I would suggest that we have here is not a culture of \nsecrecy at your department but instead a disrespect for \nCongress\'s right of oversight, a disrespect for the rights of \nthe American people to actually get the information during \nCongressional hearings, and so what we\'ve had is from the \nbeginning a cover-up and obfuscation of that cover-up of not \nnecessarily wrongdoing but covering up the fact that somebody \nwasn\'t maybe able to do their job. You can\'t expect things to \nbe corrected if it\'s done even with a good motive, but if you \nhave some evil motives going on, that will never be uncovered \nunless we have better cooperation between the executive branch \nand the legislative branch, especially in oversight \nresponsibilities.\n    So thank you very much, Mr. Chairman, for your oversight \nresponsibilities.\n    Mr. Loudermilk. I thank the gentleman from California, and \nI think it\'s imperative for us to understand that, you know, \nthe American people rely upon this government for their safety \nand security, from homeland security to even the safety and \nsecurity of their financial assets through the FDIC. The \nfrustration with the American people is that because of \nmultiple incidences, they rely on the government but their \ntrust in the government is at an all-time low, and it\'s because \nof situations such that Mr. Rohrabacher has spoken about and \nwhat we\'re investigating here.\n    With that, the Chair recognizes the gentleman from \nArkansas, Mr. Westerman, for five minutes.\n    Mr. Westerman. Thank you, Mr. Chairman. I\'d also like to \nextend my appreciation to Mr. Gibson for their work. If I could \nask the Committee staff to put a slide up? Okay. Thank you.\n    [Slide]\n    I just want to read from the transcript. This is an except, \nsome questions and answers. The first question was, ``Were \nthose updates being provided to anyone in the Chairman\'s office \nor the Chairman himself\'\' and the answer was ``Let\'s see. At \nthe time it was Roddy, Brian, myself, Martin, Chris, and Russ \nPittman. The COO was later added.\'\' The question is, ``Is that \nBarbara Ryan?\'\' and the answer was, ``On December 1st.\'\' \nQuestion: ``Barbara Ryan is the COO and chief of staff to the \nchairman. Is that correct?\'\' The answer is ``Yes.\'\' The next \nquestion: ``Does she act as the chairman\'s eyes and ears in \nmeetings like this?\'\' and the answer was, ``My understanding--I \ndon\'t have direct knowledge of that but yes.\'\'\n    So Mr. Gruenberg, did you attend meetings regarding the \ncybersecurity incidents including the Florida incident to \ndiscuss the agency\'s response to the breaches?\n    Mr. Gruenberg. I believe, Congressman, I was briefed on \nNovember 19th by the CIO in regard to the Florida incident, and \nI think that was the only briefing I actually had on it.\n    Mr. Westerman. So you actually didn\'t attend----\n    Mr. Gruenberg. No, sir.\n    Mr. Westerman. Okay. So when you were not present, did your \nchief of staff, Barbara Ryan, attend?\n    Mr. Gruenberg. As indicated in the--I believe so, yes.\n    Mr. Westerman. And how often did Barbara Ryan brief you on \nthe status of the breaches?\n    Mr. Gruenberg. She really didn\'t brief me, as it were. \nThere may have been occasions where she gave me a heads up but \nnot--it wasn\'t really her role to do the briefings.\n    Mr. Westerman. Even though the transcript says she was your \neyes and ears?\n    Mr. Gruenberg. Well----\n    Mr. Westerman. Maybe she really wasn\'t your eyes and ears?\n    Mr. Gruenberg. I don\'t know how to characterize that but in \nterms of an actual briefing on these matters, she wouldn\'t have \nbeen the one to do it.\n    Mr. Westerman. Okay. So the Committee understands that \nbased on the Inspector General\'s report that the FDIC failed to \nnotify Fin-Syn that Bank Secrecy Act information was involved \nin the Florida breach until prompted to do so by the Inspector \nGeneral. Why did the FDIC not notify Fin-Syn of the breach?\n    Mr. Gruenberg. I think we should have. I think we failed to \ndo so in that instance, Congressman.\n    Mr. Westerman. And the Committee now understands that the \nFDIC has in fact notified Fin-Syn yet you approved the \nnotification to Fin-Syn. Why do you have elevated concern when \nit comes to notifying another agency within the executive \nbranch of a breach yet opted not to report the Florida incident \nto Congress until prompted by the Inspector General?\n    Mr. Gruenberg. I think as we discussed earlier, it was a \nmatter of assessing the incident, and I think what occurred \nwas, there was an assessment that while the incident was a \nbreach, the initial assessment was that it didn\'t rise to a \nlevel of a major incident. When the IG reviewed it and reached \na different conclusion and notified us in February, we then \nadopted the IG\'s approach to the incident and then reported it \nas a major incident.\n    Mr. Westerman. So it took the IG\'s notification to raise \nthe level of concern enough to actually make the notification?\n    Mr. Gruenberg. I think the IG indicated that the approach \nthe agency was taking to assessing the incident was incorrect, \nand we were using--considering factors relating to risk of harm \nthat weren\'t appropriate, that weren\'t really incorporated in \nthe guidance. When that was made clear, we then adopted the \nIG\'s approach to applying the guidance and then reported it as \na major incident.\n    Mr. Westerman. Would you say that\'s an abnormal occurrence \nor is that--or have things like that happened before where it \ntakes notification from the IG to move forward?\n    Mr. Gruenberg. I don\'t know that I can generalize. I think \nthis was an instance in which a breach occurred, new guidance \nwas issued by OMB, so we were attempting to evaluate and apply \nthe guidance to the breach. I think we frankly didn\'t get it \nright, and when the IG made us aware of that, we then complied.\n    Mr. Westerman. So for each of the Agencies\' notifications \nboth to Congress and Fin-Syn regarding the Florida breach, why \ndid the Inspector General have to prompt your agency to report \nyou instead of your staff opting to report the incident to \nproper entities in real time as it learned of the breach? Are \nyou saying that your staff just didn\'t understand the \nseriousness of the breach or the level of the breach?\n    Mr. Gruenberg. I think the assessment was that the incident \nwas a breach. I think the initial assessment was that it didn\'t \nrise to the level of a major incident, and as I indicated, when \nthe IG provided us analysis to the contrary, we then adopted \nthe IG\'s approach.\n    Mr. Westerman. So have there been corrective actions taken \nso that the staff is trained better or----\n    Mr. Gruenberg. Yes, that\'s one of the recommendations of \nthe IG that we have concurred with and are following through \non.\n    Mr. Westerman. What kind of steps are you taking to make \nsure this doesn\'t happen again?\n    Mr. Gruenberg. In addition to as a threshold adopting the \napplication of the guidance consistent with the IG\'s approach, \nwe\'re incorporating it in policies and procedures to ensure \nthat any incidents like this are reported in a timely way going \nforward.\n    Mr. Westerman. And what would you say your confidence level \nis that if something like this were to happen again that it \nwould be reported without the IG having to get involved?\n    Mr. Gruenberg. I think at this point I have a pretty high \nconfidence level.\n    Mr. Westerman. Okay. That\'s all the questions I have, Mr. \nChairman. I yield back.\n    Mr. Loudermilk. I thank the gentleman from Arkansas, and \nwe\'ll begin our second round of questioning, and I recognize \nmyself for five minutes.\n    Mr. Gruenberg, your CIO, Larry Gross, as you know, \ntestified before my Subcommittee, the Oversight Subcommittee, \nback in May of this year. At that hearing, Mr. Gross provided \nthis Committee with false and misleading testimony in multiple \nincidents about the cybersecurity breaches reported to \nCongress. For example, I asked Mr. Gross about the Florida \ncyber breach where an FDIC employee leaving the agency \nknowingly downloaded over 71,000 counts of personally \nidentifiable information and sensitive bank information onto an \nexternal hard drive. She then denied owning the external hard \ndrive, claimed she did not download the information, and \nrefused to cooperate with FDIC officials and OIG officials \ntrying to recover the hard drive.\n    Ultimately, three months after she took the information, \nthe breacher hired an attorney to negotiate with the FDIC over \nthe return of the hard drive with the information on it. Mr. \nGross told the Committee that in his opinion, the breacher was \n``telling the truth,\'\' and Mr. Gross said, ``I don\'t believe \nshe realized she took FDIC-specific data.\'\'\n    We now know that this was not true, and Mr. Gross knew at \nthe time that this was not true. Mr. Gross also claimed in the \nhearing that ``the individuals involved in these instances were \nnot computer proficient,\'\' which we also know to be false. In \nfact, the Florida incident breacher held two master\'s degrees \nin information technology, which I think any reasonable person \nwould consider that to be proficient in computer technology.\n    This Committee wrote to you a letter on May 19, 2016, \narticulating these misleading statements and more that Mr. \nGross made at that hearing. Mr. Gibson, can you corroborate of \nthose statements that were made in the May hearing by Mr. Gross \nand their inconsistencies?\n    Mr. Gibson. Sir, I believe you\'ve described accurately what \nwas said during the hearing, you know, as well as the facts \nthat surround the statements themselves.\n    Mr. Loudermilk. Thank you for that.\n    Mr. Gruenberg, your response to our letter did not address \nany of these inconsistencies. With that, Mr. Gruenberg, do you \ncondone Mr. Gross, your CIO, lying to Congress?\n    Mr. Gruenberg. Congressman, I can share with you my \nperspective on it for----\n    Mr. Loudermilk. Please do.\n    Mr. Gruenberg. As I indicated earlier, I think Mr. Gross \nwas assessing the facts of the situation relating both to the \ninadvertence of the employee taking the information as well as \nthe issue of her proficiency. It\'s my understanding and belief \nthat the conclusions he reached were sincerely reached.\n    Mr. Loudermilk. But Mr. Gibson was here at that testimony \nand just corroborated that Congress was misled and that the \ninformation that Mr. Gross provided this Committee was \ninconsistent. Do you--so you do not believe that he \nmisrepresented the information or misled the Committee through \nhis testimony in May?\n    Mr. Gruenberg. That was not my perception of it. I was not \naware that was the IG\'s perception.\n    Mr. Loudermilk. Mr. Gibson?\n    Mr. Gibson. Sir, what I can say is, I can say that the \nstatements were not--we don\'t believe the statements were \ncorrect. We don\'t believe they were accurate. Now, we haven\'t \nlooked at his intent in doing that so I can\'t answer that. But \nas far as the accuracy of the statements themselves goes, I \ndon\'t believe the statements were accurate.\n    Mr. Loudermilk. And that\'s what I was getting at. The \nstatements were not accurate. All indications are that he knew \ndifferent than what he was making a statement to Congress, and \nto me, trying--I mean, legally when you try to build a false \nperception, is misleading, which is a form of lying, but you do \nnot believe that that was what Mr. Gross was doing, even with \nall the evidence that\'s being presented here and in the letter \nthat was provided to you, which you failed to respond to.\n    Mr. Gruenberg. I think the issue is intentionality, and I \nthink if I understand it correctly, the IG\'s view is that Mr. \nGross didn\'t get it right.\n    Mr. Loudermilk. But the issue is what he said, not his \nintention. I don\'t know if he intended to lie to Congress but \nwhat he said was not true, and he knew that it wasn\'t.\n    Mr. Gruenberg. Well, I believe--for what it\'s worth--I \nbelieve Mr. Gross thought he was--he was giving you his honest \nview of the matters. He may have gotten the--he may have gotten \nit wrong. I don\'t take----\n    Mr. Loudermilk. So you say that Mr. Gross as the CIO does \nnot consider someone who has two master\'s degrees in \ninformation technology to be computer proficient?\n    Mr. Gruenberg. I don\'t know that he was aware of that at \nthe time, Congressman.\n    Mr. Loudermilk. But then he would make a statement saying \nthat she wasn\'t computer proficient without having any--it \nsounds like he\'s trying to cover something.\n    Mr. Gruenberg. I can\'t--again, I can\'t speak to his \nintentionality. I think he believed the woman lacked \nproficiency.\n    Mr. Loudermilk. And I pressed him on this because he was \nvery consistent in saying he did not believe this was \nintentionally done. He believed that all instances were not \nintentional. But yet there were already facts that we found out \nat the time that were well known. She had hired an attorney. \nShe--I mean, it was obvious that it was intentional, and we \nfound more evidence since then, but yet he consistently said he \nbelieved it was unintentional. I just don\'t see how you get \naround that he misled Congress.\n    Mr. Gruenberg. Well, it\'s hard for me to speak to what was \nin Mr. Gross\'s mind. It was my belief and perception that he \nwas giving you his sincere testimony. It may have been \nincorrect in terms of evaluating the information. I think he \nwould suggest that there was information on both sides and he \nreached a conclusion in good faith. I think that\'s what Mr. \nGross would indicate.\n    Mr. Loudermilk. Mr. Gibson, in your opinion, in your \ninvestigation, was this breach intentional, the Florida?\n    Mr. Gibson. Well, sir, it was described as inadvertent, and \nI certainly don\'t see it as inadvertent. You know, I would--the \nmaterial was downloaded deliberately. The material was \ndownloaded intentionally. There were file structures that were \ncreated in order to accommodate it independently. I mean, I\'m \nreally not sure how you could--a reasonable person would have \nto conclude that it was intentional.\n    Mr. Loudermilk. So my understanding was, as this was being \ndownloaded, the lady--the employee created--specifically \ncreated folders that read personal and FDIC information, \ncreated those folders, which would give an intent that they \nwere intending to download--that\'s what----\n    Mr. Gibson. That\'s would a reasonable--I think a reasonable \nperson could conclude that, yes.\n    Mr. Loudermilk. Mr. Gruenberg, I understand defending an \nemployee, but if I was in your position, I would be gravely \nconcerned with the testimony that Mr. Gross gave here in light \nof the advice that he\'s giving you may not be consistent as \nwell. Do you have any intention of disciplining Mr. Gross for \nhis testimony to Congress?\n    Mr. Gruenberg. I think, Congressman, in light of the issues \nyou raised, we will review this situation.\n    Mr. Loudermilk. Well, I appreciate that.\n    With that, I recognize my good friend, the gentleman from \nVirginia, Mr. Beyer, for five minutes.\n    Mr. Beyer. Thank you, Mr. Chairman, very much.\n    Mr. Gruenberg, I built a Land Rover-Range Rover dealership \nacross the river, and seven, eight years ago, one of my Land \nRover technicians stole all of our customer records, and he \nwent out and opened his own business, and he had a running \nstart because he was able to market to all of them. I could \nnever prove it in a court of law so I just got to be angry \nabout it. But it did make us go back and think about all of our \npassword protections and changing it every 30 days and the \nlike. What was going on in the culture at FDIC that would lead \nemployees to download records and take them home? They\'re \nclearly not going to start a competing FDIC.\n    Mr. Gruenberg. I can\'t, you know--we had a number of these \nincidents that were similar in their fact pattern where \nemployees were leaving the agency, they had utilized removable \nmedia, downloading personal information and downloading in \naddition sensitive information from the agency. I don\'t know if \nthere was any connecting pattern there. I don\'t know that I can \nspeak to that. It did--it does speak obviously to an underlying \ntechnological vulnerability we had relating to permitting \nemployees to use their removable media, and that\'s at least \nwhat we\'ve tried to address.\n    Mr. Beyer. Thank you. There was a slide up earlier about \nthe transcribed interview with another FDIC employee. It talked \nabout directions from Roberta McInerney about not creating an \nemail record. I understand the Majority staff had set up an \ninterview with Ms. McInerney and then had to cancel it. Are you \naware of any ongoing efforts that will be made to actually \ninterview Ms. McInerney and try to get to the bottom of why she \ndid this?\n    Mr. Gruenberg. It\'s my understanding that the interview was \npostponed. I can\'t speak to whether it\'ll be rescheduled or \nnot.\n    Mr. Beyer. Any sense of the consequences from the top for \nMs. McInerney for giving these directions?\n    Mr. Gruenberg. I think we\'ll have to review the \ncircumstances here.\n    Mr. Beyer. Okay. Certainly, from a good government, \ntransparent government perspective, if true, it\'s pretty \nterrible stuff.\n    The OIG and some in the CIO\'s own office disagreed with the \nCIO\'s initial determination that the Florida incident wasn\'t a \nquote, unquote, major incident, but then after the February 19 \nOIG memo recommending the breach be determined major and \nimmediately reported to Congress, you did that within 7 days. \nIn fact, the CIO had said that the FDIC agreed to abide by the \nOIG\'s interpretation of a major incident as defined in OMB memo \n1603.\n    However, one of the recent major incidents, the one on \nMarch 26, 2016, wasn\'t reported to Congress for 5 weeks until \nMay 9, 2016, which is well after the 7-day reporting \nrequirement, well after you\'d agreed that the OMB memo made \nsense. Can you explain the delay in Congressional notification, \nand do we have your assurance that data breaches determined to \nbe major will be reported within the 7-day time period?\n    Mr. Gruenberg. Yes, you certainly do, Congressman.\n    Mr. Beyer. Any idea how to explain the 5-week breach from \nMarch 26 to May 9? Because this is significantly later than the \nOctober incident last year.\n    Mr. Gruenberg. I think--I have to go back and check for \nsure. We were also checking the record for the breaches going \nback to October 30, whether other breaches had occurred, and we \nwere identifying additional breaches, and I think the thought \nwas to aggregate them and bring them together and report them \nat one time to Congress so they\'d have the benefit of all of \nthem. In retrospect, we probably should have just gone ahead \nwith the 7-day.\n    Mr. Beyer. Because it\'s easier to explain the October one \nwhere it was initially identified as not major than to explain \nand to justify the later ones.\n    Mr. Chair, I yield back.\n    Mr. Loudermilk. I thank the gentleman from Virginia, and \nthe Chair recognizes the gentleman from Louisiana, Mr. Abraham, \nfor five minutes.\n    Mr. Abraham. Thank you, Mr. Chairman.\n    Mr. Gruenberg, I think in this hearing and the other \nhearings that I\'ve attended in Congress, if I had a dollar for \nevery time I heard the phrase ``I\'ll review and get back to \nyou,\'\' I could significantly pay down the national debt.\n    I\'ve got a letter that I\'ll ask to submit for the record, \nMr. Chairman, that Mr. Gruenberg wrote to you and Chairman \nSmith May 25, 2016.\n    Mr. Loudermilk. Without objection, so ordered.\n    [The information appears in Appendix II]\n    Mr. Abraham. Mr. Gruenberg, in this letter, you wrote that \nChairman it was discussing the major incidences that you have \nnot reported to Congress. In your letter, you wrote, and I \nquote, ``In each instance, the information was recovered and \nthere was no evidence of further dissemination or disclosure.\'\' \nDo you stand by that statement in the letter?\n    Mr. Gruenberg. Yeah, I believe we have no evidence of \nfurther dissemination, yes, sir.\n    Mr. Abraham. Well, I may disagree a little bit. Isn\'t it \ntrue that at least one of the cases you were only able to \nrecover a copy of the USB that was taken off premise?\n    Mr. Gruenberg. Yes, in one case the original----\n    Mr. Abraham. You didn\'t get the original back?\n    Mr. Gruenberg. Correct. It had been destroyed.\n    Mr. Abraham. So really, you didn\'t recover all the \nevidence?\n    Mr. Gruenberg. Oh, we recovered--there was a copy made and \nwe did----\n    Mr. Abraham. But we still got something out there possibly?\n    Mr. Gruenberg. We do. That\'s--you know, that\'s why you \ncan\'t say with certainty that there was no dissemination. We \njust haven\'t identified any.\n    Mr. Abraham. Mr. Gibson, what\'s your take on this?\n    Mr. Gibson. Well, sir, in--I have to think through the \nincidents themselves. In at least----\n    Mr. Abraham. Well, let\'s just take this one case.\n    Mr. Gibson. In that one case, you know, the individual took \nthe USB drive when they left the agency. They copied the data \noff of it at some point in time, destroyed the original USB \ndrive----\n    Mr. Abraham. Do we know that it was destroyed?\n    Mr. Gibson. No, we don\'t. There\'s no assurance----\n    Mr. Abraham. That\'s a major concern to me. I mean, I can \ntell you one thing, but doing something is a whole different--\n--\n    Mr. Gibson. Yeah. No, it was done in a manner where there \nreally isn\'t any assurance of what happened to it. I mean, \nthere was no receipt for it. It was given to a third party to \ndestroy. There was no receipt. There\'s no record at the company \nof the destruction. There\'s no way for us to verify \nindependently that it was done.\n    Mr. Abraham. And clarify for me, has it now been stopped, a \ndevelopment of a program that would detect these insider \nthreats? Is that where we\'re at now that we are not developing \na program? Where does that stand?\n    Mr. Gruenberg. That\'s one of the recommendations of the \nIG\'s report, and we\'ve concurred with it and are in the--we \nhave been developing the program and we anticipate bringing it \nto a conclusion and implementation by the end of this year, I \nbelieve, Congressman.\n    Mr. Abraham. I mean, it just--it\'s beyond the pale that we \nwouldn\'t want to detect an insider threat.\n    Mr. Gruenberg. Right. No, no it\'s----\n    Mr. Abraham. Certainly after Mr. Snowden\'s major episode.\n    I yield back, Mr. Chairman. Thank you, sir.\n    Mr. Loudermilk. I thank the gentleman, and also I would \nlike to thank the Office of the Inspector General for the two \nreports recently issued on this, the FDIC\'s control for \nmitigating the risk of unauthorized release of sensitive \nresolution plans and also the FDIC\'s process for identifying \nand reporting major information security incidents. We thank \nyou for your work on that, and without objection, I would like \nto submit these for the record.\n    Without objection, so ordered.\n    [The information appears in Appendix II]\n    Mr. Loudermilk. I also look forward to Mr. Gruenberg \nresponding to the numerous questions and requests in a timely \nmanner to the Committee because this is an ongoing \ninvestigation and we\'ll continue to investigate and research \nthe facts in this matter in the coming weeks and months, and I \nthank both witnesses, Mr. Gibson and Mr. Gruenberg, for being \nwith us today. I thank our Members of the Committee for their \nvery important questions.\n    And just a reminder that the record will remain open for \ntwo weeks for additional comments and written questions from \nMembers.\n    Mr. Loudermilk. And with that, this meeting is adjourned.\n    [Whereupon, at 12:17 p.m., the Committee was adjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'