[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                       EVALUATING FDIC'S RESPONSE
                        TO MAJOR DATA BREACHES:
                        IS THE FDIC SAFEGUARDING
                    CONSUMERS' BANKING INFORMATION?

=======================================================================

                                 HEARING

                               BEFORE THE

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             July 14, 2016

                               __________

                           Serial No. 114-88

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
 
 
       Available via the World Wide Web: http://science.house.gov
       
                              ______________
                              
                              
                    U.S. GOVERNMENT PUBLISHING OFFICE
20-917PDF                    WASHINGTON : 2017                 
________________________________________________________________________________________              
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  
             
              
              
              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California
    Wisconsin                        DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
MO BROOKS, Alabama                   ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois             AMI BERA, California
BILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado
STEVE KNIGHT, California             PAUL TONKO, New York
BRIAN BABIN, Texas                   MARK TAKANO, California
BRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
WARREN DAVIDSON, Ohio
                            
                            
                            C O N T E N T S

                             July 14, 2016

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................     5
    Written Statement............................................     7

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    14
    Written Statement............................................    16

                               Witnesses:

The Honorable Martin J. Gruenberg, Chairman, FDIC
    Oral Statement...............................................    18
    Written Statement............................................    21

Mr. Fred W. Gibson, Acting Inspector General, FDIC
    Oral Statement...............................................    38
    Written Statement............................................    40

Discussion.......................................................    45

             Appendix I: Answers to Post-Hearing Questions

The Honorable Martin J. Gruenberg, Chairman, FDIC................    82

Mr. Fred W. Gibson, Acting Inspector General, FDIC...............    89

            Appendix II: Additional Material for the Record

Documents submitted by Representative Barry Loudermilk, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    94

Document submitted by Representative Randy Neugebauer, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................   170

Document submitted by Representative Gary Palmer, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    87

Document submitted by Representative Bruce Westerman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................   101

 
                       EVALUATING FDIC'S RESPONSE.
                        TO MAJOR DATA BREACHES:.
                        IS THE FDIC SAFEGUARDING.
                    CONSUMERS' BANKING INFORMATION?

                              ----------                              


                        THURSDAY, JULY 14, 2016

                  House of Representatives,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Committee met, pursuant to call, at 10:07 a.m., in Room 
2318 of the Rayburn House Office Building, Hon. Lamar Smith 
[Chairman of the Committee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Smith. The Committee on Science, Space, and 
Technology will come to order.
    Without objection, the Chair is authorized to declare 
recesses of the Committee at any time.
    Welcome to today's hearing titled ``Evaluating FDIC's 
Response to Major Data Breaches: Is the FDIC Safeguarding 
Consumers' Banking Information?''
    I'll recognize myself for an opening statement and then the 
Ranking Member.
    The Acting Inspector General's recent audit confirms 
exactly what the Committee's ongoing investigation revealed: 
FDIC continues to have significant cybersecurity weaknesses.
    Over the course of the Committee's bipartisan 
investigation, we have learned a great deal about the FDIC and 
how they conduct business. Yesterday we released an Interim 
Report by majority Committee staff.
    The report contains the following findings: One: The FDIC 
has historically experienced deficiencies related to its 
cybersecurity posture, and those deficiencies continue to be 
present.
    Two: The Chief Information Officer created a toxic work 
environment, misled Congress, and retaliated against 
whistleblowers.
    Three: The FDIC deliberately evaded Congressional 
oversight.
    The FDIC experienced at least eight major breaches that 
they have determined met the reporting guidelines issued by the 
Office of Management and Budget. The IG found that one of these 
breaches required law enforcement involvement. This was the 
September 2015, New York breach, in which a disgruntled 
employee, without authorization, downloaded sensitive 
resolution plans, also referred to as living wills. This 
breach, according to the IG's report and confirmed by a 
witness's testimony during our ongoing investigation, revealed 
that had the FDIC taken more than just the initial steps to 
implement a formal insider threat program, this breach could 
have been prevented or at the very least detected much earlier.
    In a separate report, the IG found that the FDIC did not 
properly interpret and apply the reporting criteria required by 
a major incident, as articulated in the Office of Management 
and Budget memorandum. The OIG found that reasonable grounds 
existed to deem the Florida breach major but the FDIC waited 
four months to notify Congress.
    The Committee is pleased that as a result of our hearing in 
May, the FDIC began the process of contacting individuals whose 
personally identifiable information had been compromised and 
offered them credit monitoring. The Committee also appreciates 
the fact that after nearly four months, the FDIC is working to 
produce all documents and communications that we have requested 
in multiple letters.
    The agency initially produced redacted summaries of 
responsive documents and a limited set of email communications, 
but whistleblowers and the IG's staff immediately informed the 
Committee that we were not getting the whole story.
    This has been the overreaching theme of the Committee's 
dealings with the FDIC: we're not getting the whole story. 
Based on interviews and documents, there is a culture of 
concealment at the FDIC.
    For example, the Office of Legislative Affairs staff, 
according to testimony, knowingly failed to provide the 
Committee with a full and complete production of documents.
    The Office of General Counsel's staff directed their 
employees not to put certain opinions and analysis in emails or 
other written forms, presumably to avoid discovery through the 
Congressional oversight process.
    This Committee takes seriously its cybersecurity 
responsibilities under the Federal Information Security 
Modernization Act of 2014, or FISMA, as well as our 
responsibility to root out waste, fraud, abuse, and 
mismanagement.
    Our investigation has identified serious management 
deficiencies in the CIO's office. Certain FDIC employees 
believe that not only is he doing a poor job of protecting the 
agency's sensitive information technology, but also he's 
created a hostile work environment. One witness called Mr. 
Gross ``vindictive,'' removing his staff from leading projects 
if they disagreed with his opinions.
    The FDIC needs to be accountable for breaches of 
cybersecurity and responsive to the findings of our 
investigation.
    We look forward to receiving all the requested documents 
and hearing about what steps the FDIC is taking to protect 
sensitive banking documents and taxpayers' personal 
information.
    [The prepared statement of Chairman Smith follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Smith. That concludes my opening statement, and 
the gentlewoman from Texas, Eddie Bernice Johnson, is 
recognized for hers.
    Ms. Johnson. Thank you very much, Mr. Chairman, and welcome 
to our witnesses.
    As we have learned over the course of many hearings before 
this Committee, cybersecurity is a never-ending struggle. 
Public and private entities alike are engaged in a constantly 
evolving challenge to prevent both intentional data breaches 
and unintentional dissemination of sensitive information.
    Since the last hearing we held on data breaches at the 
Federal Deposit Insurance Corporation--the FDIC--just two 
months ago, 32 million Twitter users had their login 
credentials compromised, Walmart's corporate headquarters 
disclosed the unauthorized access to data of more than 27,000 
customers, and the medical records of thousands of National 
Football League--the NFL--players were compromised when a 
laptop computer was stolen from a car.
    Today is the Committee's second hearing on the FDIC's 
handling of several data breaches that occurred since October 
2015 when the Office of Management and Budget--the OMB--issued 
new cybersecurity guidance. The OMB memo, known as Memo 16-03, 
helped to define what constitutes a major data breach and 
requires reporting incidents designated as major to Congress 
within seven days of such a determination. Data from the FDIC 
is particularly sensitive, and may include personal banking 
information and data indicating potential criminal activity 
such as suspicious activity reports.
    The agency failed to notify Congress of seven major data 
breaches within the 7-day time frame that OMB requires from 
October 2015 through February 2016.
    During our Oversight Subcommittee hearing on this topic in 
May, the FDIC's Chief Information Officer described these data 
breaches as inadvertent and occurring without malicious intent. 
The FDIC Acting Inspector General, Mr. Fred Gibson, testified 
at that hearing and is a witness here today. His office 
released two audits of the FDIC's data breaches last week, and 
the evidence his office gathered clearly shows that in at least 
one of the seven breaches, the data was not taken accidentally. 
His office is in the process of conducting a further forensic 
review of the remaining six incidences.
    I think it's fair to say that our May hearing yielded 
bipartisan agreement that the FDIC's interpretation of the OMB 
guidelines was flawed. It is also clear that FDIC did not 
initially provide all documents responsive to the Committee's 
requests.
    However, I do not agree with my Majority colleagues as to 
what constitutes evidence of intent. The Majority is likely to 
allege that the CIO intentionally misled the Committee and that 
the agency attempted to obstruct the Committee's investigation 
into these events. I do not believe the Committee has uncovered 
convincing evidence to support those allegations. I am not 
dismissing the testimony of some of the FDIC employees who have 
been interviewed but it is our responsibility to make sure we 
have all of the evidence and have heard from all parties before 
we begin to wave around serious allegations of criminal intent.
    What I do believe is this. First, the recent reports issued 
by the Inspector General's office on the data breaches at FDIC 
point to a series of corrective actions that I hope will 
improve the agency's ability to appropriately respond to the 
multiple cybersecurity threats we all face. I do believe the 
FDIC Chairman takes these issues seriously. He has a strong 
track record on responding to cybersecurity challenges, 
including holding his staff accountable.
    Second, all federal agencies need strong, competent, 
independent chief information officers--chief information 
security officers, and I am glad that both the IG's office as 
well as the Government Accountability Office, or GAO, are now 
engaged in separate reviews of the appropriate role, placement, 
and authorities of the Chief Information Security Officer at 
FDIC and other federal agencies.
    And finally, while we investigate failures at different 
agencies to fully and properly implement federal cybersecurity 
requirements, we should also support agency efforts to continue 
to strengthen their cybersecurity posture as the technologies 
and the threats rapidly evolve around them.
    I look forward to hearing from both Mr. Gruenberg and 
Acting IG Mr. Gibson.
    Thank you, Mr. Chairman. I yield back.
    [The prepared statement of Ms. Johnson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Smith. Thank you, Mrs. Johnson.
    Let me introduce our witnesses. Our first witness today is 
Mr. Martin Gruenberg, Chairman of the Federal Deposit Insurance 
Corporation. Mr. Gruenberg previously served as Vice Chairman 
and Member of the FDIC Board of Directors. He was also Chairman 
of the Executive Council and President of the International 
Association of Deposit Insurers. Mr. Gruenberg received his 
bachelor's degree from Princeton University's Woodrow Wilson 
School of Public Policy and International Affairs and his J.D. 
from Case Western Reserve Law School.
    Our second witness is Mr. Fred Gibson, Acting Inspector 
General of the Federal Deposit Insurance Corporation. Mr. 
Gibson previously has served with the Resolution Trust 
Corporation Office of Inspector General as Principal Deputy 
Inspector General and Council to the Inspector General. Mr. 
Gibson received his bachelor's degree in history from the 
University of Texas at Austin and his master's degree in 
Russian area studies from Georgetown University. He also 
received his J.D. from the University of Texas School of Law.
    We welcome you both, and Chairman Gruenberg, if you'll 
begin?

   STATEMENT OF THE HON. MARTIN J. GRUENBERG, CHAIRMAN, FDIC

    Mr. Gruenberg. Thank you, Mr. Chairman. Chairman Smith, 
Ranking Member Johnson, and members of the Committee, thank you 
for the opportunity to appear before you today.
    An effective information security and privacy program is 
critical to the FDIC's mission of maintaining stability and 
public confidence in the Nation's financial system.
    My testimony today will discuss the recent incidents 
pertaining to information security at the FDIC and our response 
to the two related Office of Inspector General audits.
    The first audit was of the FDIC's controls for mitigating 
the risk of an unauthorized release of sensitive resolution 
plans. As detailed in my written statement, on September 29, 
2015, the FDIC determined through use of our Data Loss 
Prevention software that immediately prior to resignation, an 
employee in the FDIC's Office of Complex Financial Institutions 
had transferred copies of sensitive resolution plans from the 
internal network onto an unencrypted removable storage device, 
which was prohibited by FDIC policy. The FDIC notified the OIG 
of the incident on September 29, and law enforcement officials 
later recovered the storage device from the former employee. 
The OIG began an audit to determine the factors that 
contributed to this incident, and to assess the adequacy of 
mitigating controls.
    Its final audit report identified several weaknesses that 
the FDIC needed to address and made six recommendations. We 
concur with the findings and recommendations, and expect to 
complete implementation of our responsive actions by the end of 
2016. These include a recommendation that the FDIC establish an 
agency-wide insider threat program, which we have committed to 
fully implement by the end of this year. In addition, the OIG 
noted that a key control intended to prevent users from copying 
information to removable media failed to operate as intended. 
We are now installing a new software version that addresses the 
observed defects and plan that installation to be completed by 
August 26.
    The second audit I'd like to address is the OIG's audit of 
the FDIC's process for identifying and reporting major 
incidents, which stemmed from a breach of sensitive information 
that's referenced in the OIG report as the "Florida Incident". 
This incident involved a former FDIC employee who copied a 
large quantity of sensitive information to removable media and 
took the information when departing FDIC employment on October 
15 of 2015. The FDIC detected the incident through its DLP 
software on October 23. The employee, who was initially 
resistant, ultimately returned the device on December 8 of last 
year.
    Also during this time, on October 30 of last year, the 
Office of Management and Budget issued guidance on the 
reporting of "major incidents". In initially assessing the 
application of this new guidance and consistent with FDIC 
policy and procedure, the CIO considered the incident's risk of 
harm and reached the conclusion that although it was a breach, 
it did not rise to the level of a "major incident".
    On February 19 of this year, the FDIC received an OIG memo 
analyzing the Florida incident in which the OIG concluded that 
the FDIC had not properly applied the OMG guidance for 
classifying the incident as a "major incident". The OIG found 
that the FDIC had based its determination on mitigating factors 
relating to "risk of harm", but that such factors are not 
addressed in the guidance and therefore are not relevant in 
determining whether or not incidents are major. The OIG 
determined that the FDIC should instead have reported the 
incident to Congress as a major incident no later than 7 days 
of having determined at least 10,000 Social Security Numbers 
were involved.
    Having received this OIG memorandum, the FDIC proceeded to 
give Congressional notification on February 26 of this year. We 
then reviewed other incidents that had occurred since issuance 
of the guidance and reported six additional incidents to 
Congress between March and May.
    In retrospect, and in light of the OIG's report findings, 
we should not have considered what we believed to be mitigating 
factors when applying the OMB guidance. We also failed to 
provide adequate context when reporting to Congress on the 
Florida incident and should have notified the potentially 
affected individuals when the notice to Congress was given in 
February.
    We agree with the OIG conclusions and are working on each 
of their recommended corrective actions. Our expectation is 
that taking the steps outlined in the responses to the OIG 
reports will minimize the potential for similar incidents. I 
would note that the OIG's reports state that our planned 
actions are responsive and that the recommendations are 
resolved.
    We have also discontinued the use of removable media at the 
FDIC except for limited exceptions for the GAO, OIG, and our 
legal division. We will keep the OIG and Congress informed of 
our progress.
    Finally, if I may add, Mr. Chairman, there have been 
reports about advanced, persistent threat incidents in 2010 and 
2011 at the FDIC. The Office of Inspector General provided me 
an investigative report back in May of 2013 on the incidents, 
which found that our Division of Information Technology did not 
fully inform me and other board members and senior executives 
about the incidents. As a result of that OIG report, we took a 
number of steps including engaging an independent cybersecurity 
firm to assist our system, and personnel changes were made.
    Mr. Chairman, thank you again for the opportunity to 
testify today and I'd be happy to answer your questions.
    [The prepared statement of Mr. Gruenberg follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Smith. Thank you, Chairman Gruenberg.
    And Mr. Gibson.

                STATEMENT OF MR. FRED W. GIBSON,

                 ACTING INSPECTOR GENERAL, FDIC

    Mr. Gibson. Thank you, Chairman Smith, Ranking Member 
Johnson, Members of the Committee. Thank you for the invitation 
to speak with you today.
    Since I last testified before this Committee's Subcommittee 
on Oversight, my office has completed two publicly available 
audits relating to the information security posture of the 
FDIC. Our first audit dealt with the FDIC's process for 
identifying and reporting major incidents and focused on the 
reporting of one such incident, which is being referred to as 
the Florida incident.
    This incident involved a former FDIC employee who copied a 
large quantity of sensitive FDIC information to removable media 
and took this information when the employee left in October of 
2015. The FDIC detected the incident through its data loss 
prevention tool. We determined that although the FDIC had 
established various incident response policies, procedures, 
guidelines, and processes, these controls did not provide 
reasonable assurance that major incidents were identified and 
reported in a timely manner consistent with the law and OMB 
guidance. We made five recommendations that were intended to 
provide the FDIC with greater assurance that major incidents 
are accurately identified and promptly reported
    Our analysis of the Florida incident prompted the FDIC to 
initiate a review of similar incidents involving departing 
employees that occurred after the OMB issued applicable 
guidance in October of 2015. Based on its review between March 
and May 2016, the FDIC reported six additional incidents to the 
Congress as major. We are currently studying these incidents 
and the manner in which they were reported and expect to 
complete this work by mid-September.
    In a second audit, we reviewed the Corporation's controls 
for mitigating the risk of an unauthorized release of sensitive 
resolution plans. Under Dodd-Frank, designated systemically 
important institutions must provide resolution plans to federal 
bank regulators. These resolution plans, or living wills, 
contain some of the most sensitive information that the FDIC 
maintains.
    In September 2015, an FDIC employee working in the FDIC's 
Office of Complex Financial Institutions abruptly resigned from 
the Corporation and took copies of non-public components of 
resolution plans without authorization and in violation of 
FDIC's policies. The incident is not one of the seven that the 
FDIC reported as major to the Congress. Our work identified a 
number of factors contributing to the security incident. We 
concluded that an Insider Threat program would have better 
enabled the FDIC to deter, detect and mitigate the risk of an 
event like this, and a key security control designed to prevent 
employees with access to sensitive resolution plans from 
copying electronic information to removable media had failed to 
operate as it was intended. Our report contains six 
recommendations. One is that the FDIC establish a corporate-
wide Insider Threat program.
    The FDIC concurred with the recommendations we made in both 
audits and has outlined actions that would be responsive. We 
will follow up carefully on the implementation of each of those 
recommendations.
    We will also complete this year's FISMA audit in the fall. 
The report will build upon the work I've described today and 
will broadly assess the effectiveness of the FDIC's information 
security program and practices.
    In addition, we have ongoing work related to the FDIC's 
plans and actions to address earlier audit recommendations 
pertaining to credentialing and multifactor authentication. We 
plan to initiate additional audit work in such areas as data 
breach notification and the FDIC's information technology 
enterprise architecture.
    Finally, we also have open investigations relating to 
several of these matters, which have not reached the stage 
where further public discussion would be appropriate.
    In any case, thank you again. I look forward to answering 
any questions the Committee may have about these or any related 
matters.
    [The prepared statement of Mr. Gibson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Smith. Thank you, Mr. Gibson, and I'll recognize 
myself for questions.
    Chairman Gruenberg, let me address my first one to you and 
say that it's our understanding that no staff has been 
reprimanded for mishandling the cybersecurity breaches, no 
staff has been reassigned because of the mishandling of 
breaches, and the appearance is that no one's been held 
accountable for the breaches. I am just wondering why not.
    Mr. Gruenberg. Thank you, Mr. Chairman. If I may, let me 
give you my perspective on this, particularly in regard to our 
CIO, who I think has been the lead person responsible in this 
are. I understand this may not be consistent with your 
perspective but I wanted to give you my perspective for what 
it's worth from my position. As you know, the incident that 
precipitated this, the Florida, so-called "Florida Incident", 
occurred on October 15, and was identified on October 23, and 
the OMB guidance on major incident was issued on October 30, 
and our CIO began--assumed his responsibilities on November 2. 
So what we had was sort of a confluence of developments. The 
breach occurred and was identified, the guidance was issued, 
and our CIO assumed his new position. It was sort of presented, 
if I may say, with a pretty--for a guy just starting the job--a 
pretty difficult situation to sort through. He had the breach 
occur. He had to--the decision was made that even though the 
breach occurred before the issuance of the guidance there'd be 
an effort made to apply the guidance to the breach, but it was 
new guidance, first impression without real precedent to go by.
    Chairman Smith. Right. Let me interrupt you just briefly.
    You had six major breaches. One was so serious it involved 
law enforcement, and there were a number of individuals 
involved, not just the one CIO, but it appears that again no 
reprimands, no reassignments, no accountability for anyone, and 
that sends a message that the breaches are not necessarily 
being taken seriously.
    Mr. Gruenberg. Mr. Chairman, I assure you we have no higher 
priority at the FDIC than addressing these matters. We 
certainly are prepared to consider the information provided by 
the Committee and review and consider them in regard to the----
    Chairman Smith. And this particular breach was not reported 
to the Committee for four months. Was there any good 
explanation why the FDIC waited to report the incident?
    Mr. Gruenberg. This is in regard to the Florida incident?
    Chairman Smith. The Florida incident. Correct.
    Mr. Gruenberg. If I could just complete my comments on 
that.
    The CIO, who is the responsible official, was trying to 
sort through the application of the new guidance to this 
incident. He utilized existing FDIC policy of considering the 
risk of harm, applying the guidance, and utilizing mitigating 
factors applying to risk of harm, and a conclusion was reached 
that that incident was a breach that would be reportable under 
FISMA, but did not rise to the level of a "major incident". 
That was the assessment made based on the facts available to 
the CIO.
    That occurred in December. When the OIG, who then was 
reviewing this matter, provided a memo in February, on February 
19 saying no, you got it wrong, these mitigating factors are 
not provided in the guidance, they're not relevant----
    Chairman Smith. There was a difference of opinion as to how 
you define ``major''?
    Mr. Gruenberg. That's really what it came down to, and I 
guess what I want to suggest, and I understand there may be a 
difference of view. While we may have gotten it wrong, while 
the CIO may have gotten it wrong, I think, at least my 
perspective is, there was an honest effort here to review the 
guidance, consider mitigating factors, and make a reasonable 
judgment. The judgment may have been wrong, but I don't think 
there was malintent here. That's what I wanted to convey.
    Chairman Smith. Thank you, Chairman Gruenberg.
    And Mr. Gibson, are you satisfied that the FDIC are taking 
the necessary steps or will take the necessary steps to address 
your findings?
    Mr. Gibson. Sir, in our view, the FDIC has described 
actions that if taken will be responsive to the recommendations 
of each one of our audits. I mean, it's our intention to follow 
up with respect to the implementation of each one in order to 
ensure both that they're implemented and that it's done so in 
an effective manner and that the effect of those actions 
achieves the goal that we were trying to achieve.
    Chairman Smith. Okay. Thank you, Mr. Gibson.
    I'll recognize the Ranking Member, Eddie Bernice Johnson, 
for her questions, but let me say that I'm going to need to 
shuttle between this Committee hearing and another committee 
hearing, so I'm going to turn the chair over to the gentleman 
from Georgia, Mr. Loudermilk, and hope to return.
    The gentlewoman from Texas is recognized for her questions.
    Ms. Johnson. Thank you, Mr. Chairman.
    Chairman Gruenberg, several years ago before the current 
CIO came to the agency, the FDIC suffered from a cyber-attack 
by a foreign government. I understand that a senior IT security 
staff member failed to inform you about this breach at the 
time. Once you found out about it, I also understand that you 
took disciplinary actions against some of these individuals who 
failed to inform you of this breach.
    The FDIC IG's office says that in one of the recent data 
breaches, known as the Florida Incident, your Chief of 
Information Officer decided not to forward information to you 
about the breach because he made the determination it was not a 
major incident and therefore did not need to pass this along 
for your approval.
    Given this history, are you taking any specific steps to 
ensure that you are being kept well-informed of cybersecurity 
issues at your agency?
    Mr. Gruenberg. Thank you, Congresswoman. We are, needless 
to say, very focused on this set of issues. As I indicated, 
they are critical and essential to the functioning and 
credibility of our agency, and we are engaging on a daily basis 
in terms of complying with all of the recommendations and 
implementing all of the recommendations made by the OIG 
including implementing policies and procedures relating to 
major incidents that will assure the timely reporting to 
Congress if such incidents should occur again.
    Ms. Johnson. Thank you.
    Mr. Gibson, I understand that your office is undertaking 
review of the role of the Chief Information Security Officer to 
make sure that he or she has the authorities and independence 
necessary to ensure a strong cybersecurity posture for the 
agency. I know that this review is just getting started, but 
can you tell us what sorts of questions you are trying to 
address and why you're conducting this in the first place?
    Mr. Gibson. Yes, ma'am. We believe that the Chief 
Information Security Officer as a matter of principle should be 
in a position to speak up and in a position to inform those in 
the corporation who need to know what the status is of 
incidents of information that may be relevant pertaining to the 
security of the system. I'm not sure that we have reached--we 
obviously haven't reached any conclusions yet but the goal is 
essentially to reach a reasoned assessment as to whether the 
CISO in current structure where the CISO reports to the Chief 
Information Officer is able to provide that independent, 
security-minded voice with respect to that information or 
whether it's a position that should organizationally and from a 
governance standpoint be separated so that there's a degree of 
independence and a degree of ability to speak up.
    Ms. Johnson. Now, in regards to the seven data breaches 
reported to Congress by the FDIC as major incidences, do you 
believe that the circumstances in those specific cases gave the 
agency the discretion to determine that they were not major 
incidences as they initially were determined?
    Mr. Gibson. We're still reviewing all six of those 
incidents so our work isn't complete. What I would say at this 
point in time preliminarily is we believe they should all have 
been reported as major incidents consistent with 16-03.
    Ms. Johnson. Thank you very much.
    I yield back.
    Mr. Loudermilk. [Presiding] I thank the lady from Texas, 
and now recognize myself for five minutes for questions.
    Mr. Gruenberg, you had mentioned earlier that Mr. Gross was 
assessing the risk of harm as one of the reasons that it wasn't 
reported to Congress. I may remind you that risk of harm is not 
one of the criteria in OMB. It's the scope and the type of 
documents which I think is clearly in the realm of what should 
have been reported and reported within seven days, not in 
several months, but it's not the place of this Committee to try 
to micromanage the operations within FDIC, but when the 
operations puts at risk the safety and security of American 
citizens or our national security, then it is our 
responsibility, it's our duty to inject ourselves on behalf of 
the American people.
    And so in our previous hearing, we really looked at in 
depth, as in depth we could, as to what happened in those data 
breaches. Today I want to assess what is the response. Because 
I think it's important that we understand the direction that 
you're taking. Is it effective? Are we actually trying to 
correct that as we go forward in still investigating what 
happened and why the law was not followed? We also need to know 
what direction you're going.
    Now, I understand that through testimony before that you 
have a data loss-prevention program, DLP, that is, I believe, a 
Symantec program, that actually notified the FDIC and your data 
team that this data had been copied, and so that kind of 
prompted your internal investigation into that. I also 
understand that Mr. Gross is now fast-tracking a number of 
other initiatives to show progress on remedying these security 
breaches and, you know, normally this--we would take that as 
good news that you're giving priority and importance to trying 
to resolve this, but it appears that some of these initiatives 
Mr. Gross is spearheading are not the solutions that really are 
going to fix the problem but may exacerbate the problem and 
make it worse.
    Mr. Gruenberg, are you aware that Mr. Gross has planned 
out--planned a rollout of a Digital Rights Management System?
    Mr. Gruenberg. Yes, Congressman.
    Mr. Loudermilk. You are. Do you support that initiative?
    Mr. Gruenberg. As it's been explained to me, it seems like 
a reasonable step for us to take.
    Mr. Loudermilk. Okay. And you trust that--is it Mr. Gross 
that has explained that to you?
    Mr. Gruenberg. Yes, sir.
    Mr. Loudermilk. It has. Do you understand the benefit that 
DRM will have for cybersecurity protection at the FDIC?
    Mr. Gruenberg. I have some understanding. I don't hold 
myself out as a technology expert but I do have some 
understanding.
    Mr. Loudermilk. Well, I spent 30 years in the IT business 
so I have somewhat of an understanding, but it is an evolving 
field. Basically, the Digital Right Management is a method of 
encrypting and applying rules of access or non-access to 
specific documents.
    Mr. Gruenberg, I understand that the FDIC has this DLP 
that--and as I brought up the DLP earlier, you were nodding 
that yes, it did notify your data security team of that data 
being copied. Are you aware that the rollout of DRM will 
actually render DLP ineffective?
    Mr. Gruenberg. Not to my understanding, Congressman.
    Mr. Loudermilk. So you haven't been briefed that it would 
actually render ineffective the current security system that 
actually notified you of that breach?
    Mr. Gruenberg. Not that I'm aware of, no, sir.
    Mr. Loudermilk. Let me mention an email provided to the 
Committee by a whistleblower in the FDIC discussing the actual 
impact DRM will have. This email was sent on July 1, 2016, so 
it was pretty recent, and the subject line reads ``risk to 
FDIC's data.'' Now, we have redacted the email and I am just 
going to summarize it, one, because we feel that if I read the 
details as it was written, it would provide--it would even 
exacerbate your current security risk that you have but also we 
have concerns of retribution on the whistleblowers within your 
organization. Basically this is from a senior expert within the 
FDIC that says, and I summarize or paraphrase, that there is a 
great risk of losing control over your data by simply releasing 
DRM without a lot of other work being done first, especially 
data classifications, labeling and access rights, which has not 
been done. It says each of these has to be done or essentially 
applying a DRM file will bypass the current DLP controls. This 
makes DRM a high risk to undetected data loss. It sounds like 
an environment that is supported by CIO, Mr. Gross, doesn't 
really understand what he's doing, and maybe he's just 
responding to the inquiries of this Committee to show that he's 
doing something but it will not actually have a positive effect 
but actually have a negative effect.
    How do these types of fundamental security conflicts arise 
at the FDIC? Do you feel Mr. Gross has been giving you the full 
extent of what the system will do?
    Mr. Gruenberg. I do believe so, Congressman. I take very 
seriously the points you raise, and if I may, let us go back 
and take a look at the issue you raised, particularly in regard 
to DRM and its impact on the DLP. I think that's an important 
point. If we may, let us look into it and we'll come back to 
you.
    Mr. Loudermilk. I appreciate it.
    Now, I understand that right now there's no permanent Chief 
Information Security Officer in place. Is that true?
    Mr. Gruenberg. That is true. We're in the process of 
putting out a notice soliciting individuals for that position.
    Mr. Loudermilk. Do you feel that position is very vital?
    Mr. Gruenberg. Central, sir.
    Mr. Loudermilk. But yet you're going ahead with the rollout 
or fast-tracking rollout of a security program without this 
position being filled.
    Mr. Gruenberg. I think, if I may say, in regard to--if 
you're referencing DRM, I mean, that's still in the initial 
phase, so we will go back and consider the points you raised. 
This is going to be done in a very careful and deliberate way, 
and if the issues you raise are on point, we'll obviously take 
that into consideration.
    Mr. Loudermilk. Well, I think it would be very advisable to 
do that, and I'm quickly--I've exceeded my time. But does the 
FDIC have any classified material of any quantity?
    Mr. Gruenberg. We do have a so-called SCIF.
    Mr. Loudermilk. Is that information in danger if we 
continue to have conflicts like rolling out a DRM that will 
circumvent the current security protocols you have in place?
    Mr. Gruenberg. Not to my understanding but let me be sure I 
understand it before I give you a conclusive answer on that.
    Mr. Loudermilk. My time's expired, and I now recognize the 
gentlewoman from Oregon, Ms. Bonamici, for five minutes.
    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank 
you for calling this hearing.
    Chairman Gruenberg, can you provide us with an update of 
the actions that the agency has taken to notify any individuals 
affected by all of the major data breaches? Have you offered 
credit monitoring services, for example? And if they have not 
been notified, when will that happen?
    Mr. Gruenberg. We are undertaking notifying and providing 
credit monitoring to all the individuals affected by those 
seven breaches.
    Ms. Bonamici. And Mr. Gibson, one of the two audit reports 
you released last week looked at a data-breach case in New York 
and suggested that the Insider Threat program could have 
potentially helped prevent that data breach. That language is 
pretty strong. The report mentions that the program was stalled 
in the fall of 2015. So will you please explain the importance 
of the Insider Threat program, and what happened? Why did it 
stall? Because that's a pretty serious issue.
    Mr. Gibson. Sure. The Insider Threat program is an 
overarching program that allows the integration of information 
from multiple sources to assess whether an individual poses an 
insider risk to an enterprise. I think it's commonly accepted 
wisdom, and it's probably good wisdom, that the most 
significant threats that most organizations are going to face 
are insider threats, in other words, the risk of an employee or 
a person who's trusted within a computer network obtaining 
access or misusing access to data that's contained within or 
housed within a particular system. So we think that an Insider 
Threat program is an extremely important thing to do.
    The program itself consists of a variety of different 
pieces, but beyond that, what's necessary is an overarching 
goal.
    Ms. Bonamici. I understand that, and I don't mean to 
interrupt----
    Mr. Gibson. That's----
    Ms. Bonamici. --but why did it stall in the fall?
    Mr. Gibson. That is unclear. I think that we've heard two 
different versions of the story as to why it stalled in the 
fall. From a senior management perspective, we've been told 
that there was concern that components of the program were 
conducting an investigation that was going too far and too fast 
with respect to an employee and that they needed to establish 
policies, procedures, standard operating procedures, and a 
means for managing the work that was being done before it 
continued.
    We've heard kind of a different story at a different level 
of the organization where they believe that they were in 
essence directed to stop, and they got the message that there 
wasn't----
    Ms. Bonamici. I want to try to get another question in but 
I know that the Committee would appreciate follow-up on that 
when you determine exactly why that failed.
    Mr. Gibson. Okay.
    Ms. Bonamici. I wanted to follow up on Mr. Loudermilk's 
questioning, and I think this is best directed to you, Mr. 
Gibson.
    The FDIC implemented a new version of its data loss 
prevention tool last September, and it was apparently the 
software that allowed you to identify the recent major data 
breaches but your office looked at the implementation of this 
tool, found some problems from September 2015 to the end of 
February 2016. The software identified 604,178 potential 
security violations and nearly 400,000 of those were related to 
removable media.
    So it's my understanding that ultimately it was up to some 
individual to sort through those incidents and determine which 
are the most suspicious in order to see if they were legitimate 
downloads or indicated potential unauthorized activity, which 
seems a little bit like looking for a needle in a haystack.
    So do you think that this DLP is a useful cybersecurity 
tool? What do you need to do to ensure it's used effectively? 
And just to follow up on Mr. Loudermilk's question, apparently 
now you're doing something that's inconsistent with that. And 
finally, since you've eliminated the removable media usage, has 
there been a reduction in the incidents that have been flagged 
by this DLP program?
    Mr. Gibson. Let me answer that as best I can. I think that 
the DLP tool as a tool is a tremendously important and helpful 
tool. I think that it requires a higher level of resources in 
order to be timely and effective. I would agree that digging 
through the volume of reports that the individual who's tasked 
with that has had to dig through really is a little like 
looking for a needle in a haystack, and I think that could be 
resolved, you know, by devoting some additional resources to 
it, and we've recommended that that be resourced differently. 
There may be other technical approaches that can be used as 
well. I wouldn't be the person to address that.
    Ms. Bonamici. By ``additional resources,'' do you mean 
additional people looking for the needles in the haystack or do 
you mean some other approach?
    Mr. Gibson. Both.
    Ms. Bonamici. Mr. Gruenberg?
    Mr. Gruenberg. Congresswoman, if I can just add to that, I 
think a large percentage of the incidents being identified by 
the technology was a result of the use of removable media. So 
by discontinuing the use of removable media, we hope that's 
going to substantially reduce the number of incidents and allow 
for the more effective use of the technology.
    Ms. Bonamici. And you said you hope that it does, but do 
you know yet, have the--has there been a reduction in incidents 
flagged by the DLP program since the elimination of removable--
--
    Mr. Gruenberg. It's obviously a recent development. We can 
check into that and come back to you.
    Ms. Bonamici. Terrific. Thank you very much.
    I yield back. Thank you, Mr. Chairman.
    Mr. Loudermilk. The Chair now recognizes the gentleman from 
Texas, Mr. Neugebauer, for five minutes.
    Mr. Neugebauer. Thank you, Mr. Chairman.
    Chairman Gruenberg, through the course of this Committee's 
transcribed interviews of FDIC employees, it is clear that CIO 
Larry Gross's fast-tracking a number of initiatives to show 
progress in remedying these cybersecurity breaches, and some of 
those have been mentioned. Normally, as the Chairman said, that 
would be welcome news, although it appears that some of these 
initiatives spearheaded by Mr. Gross are not the fixes needed.
    Chairman Gruenberg, are you aware of Mr. Gross's initiative 
to replace all desktops at the FDIC with laptops?
    Mr. Gruenberg. Yes, Congressman.
    Mr. Neugebauer. And do you support that, and do you think 
that's a good idea?
    Mr. Gruenberg. As presented to me, it seems like a 
reasonable step to take. We're going to be implementing that in 
a careful and deliberate way. The use of laptops will enhance 
both the mobility and the continuity challenges that we face 
with our workforce. I think that's been part of the objective 
here.
    Mr. Neugebauer. Do you know what that's going to cost?
    Mr. Gruenberg. I can get that for you. You know, we 
provided laptops to our field employees in the previous year, 
and so this round is to provide it for our Washington 
employees.
    Mr. Neugebauer. So are you aware that a number of security 
experts at the FDIC strongly believe that replacing the 
desktops with laptops increases cybersecurity risk?
    Mr. Gruenberg. Look, I understand that there have been some 
statements to the Committee, and let me say, I'm sure those 
statements were made with good intent, and I appreciate the 
points raised. What we will do is, as for the points 
Congressman Loudermilk raised in regard to the DLP and DRM, is 
look into them, and, if we may, report back to you.
    Mr. Neugebauer. Well, just a little side note here. I think 
that the plan here has been to keep employees from taking data 
offsite, if I'm not mistaken, and if you start furnishing 
laptops with that information on there, it looks like to me 
we're moving in a different direction here, but----
    Mr. Gruenberg. Can I respond to that, Congressman?
    Mr. Neugebauer. Yes.
    Mr. Gruenberg. For what it's worth, and again, I want to be 
pretty cautious about representing myself in regard to 
technology, the laptops have value for both mobility and 
continuity of operations. If our operations are disrupted, 
there's value in our employees having that capability as well 
as tele-work. I think the belief is--and again, we'll review 
and come back to you on this--that a government-furnished 
equipment such as a laptop may be a more secure way to achieve 
that objective.
    Mr. Neugebauer. Well, I would suggest you look into that 
because I know a number of people are telling Mr. Gross that 
they don't think that's a good idea, and it appears that he's 
not listening, so I would encourage you to do your own due 
diligence.
    Let me show you some testimony from former Acting Chief 
Information Officer and now Deputy CIO when asked about Larry 
Gross's laptop initiative. Put the slide up there.
    [Slide.]
    Question: ``Are you--could you tell us a little bit more 
about the laptops. So under this new plan, would it replace the 
desktops that employees have at the agency?'' The answer was, 
``It's not clear, and this is one of the things that has not 
been thought through. Some of the questions are, so is this--
will this replace the desktop. So do you have both? So now I 
have a laptop and I have to take that back and forth. Now, 
again, I'm looking at it from a security perspective. Our focus 
has been security. What is the risk, you know? Why spend $5 
million? Is this really going to help security posture for FDIC 
in terms of your spending something and you don't know what 
you're getting in return from the security perspective. There 
are many other things we can be doing to improve security 
posture at FDIC, and this is not at the top of the list, but 
this is what happens when decisions are made at the top level 
without including subject matter experts, folks from divisions, 
from business, and there's artificial deadlines imposed by this 
July 31st that are supposed to do all of this.''
    Mr. Gruenberg, there are other examples of similar 
testimony from IT and security experts at FDIC. I mean, I'm 
beginning to question Mr. Gross's proficiency in his job. Are 
these alarming to you?
    Mr. Gruenberg. Let me say, you raised--the points you 
raised, I think, are serious ones, and we'll take the 
opportunity if we may to review them and perhaps come back to 
you.
    I would just say in regard to Mr. Gross, I think it's fair 
to say our Vice Chairman, Tom Hoenig's, perspective is one we 
believe Mr. Gross is a capable professional, and it's fair to 
say he assumed his position on November 2nd of last year so 
he's been on the job for 9 or 10 months. I think our sense is--
and believe me, we will carefully consider the points you 
raised--but I think our sense is, we'd like to give him an 
opportunity to do the job and we'll evaluate that and I assure 
you we will hold him accountable, but we don't want to--we want 
to at least give him a fair chance to see-
    Mr. Neugebauer. Well, my parting comment is, as you know, 
and you and I both know, is that one of the things that your 
agency does is hold the financial institutions that you 
regulate under very high data security standards, and as you 
should because we're handling very sensitive information. I 
think it's extremely important that the FDIC set an example in 
that area, and I don't believe we're accomplishing that goal.
    Mr. Loudermilk. I thank the gentleman, and Mr. Gruenberg, 
it sounds like the issue we're facing at FDIC is data getting 
out of the FDIC, and I would think that you would want to make 
it more difficult for employees to take data out, not make it 
easier with laptops. Maybe you should invest in a set of chains 
and locks instead of laptops.
    At this point I recognize the gentleman from Illinois, Mr. 
Foster, for five minutes.
    Mr. Foster. Thank you, Mr. Chairman, and thank you for 
everything that the FDIC does to make banking safer.
    One of my favorite graphs in the universe is the number of 
bank failures as a function of calendar year from the Civil War 
to today where you see that banks back in the days of when it 
was the Wild West before the FDIC, you saw that hundreds of 
banks would fail in a typical year, and when the FDIC and 
related regulation came in, before we decided to dismantle it, 
we saw essentially zero bank failures and banks became a safe 
place. And so I want to thank you for everything that you've 
proven capable of.
    Now, a couple of specific questions. The laptop thing, are 
these thin client laptops or are these full capability laptops 
with the data on drives and, you know, Bluetooth ports and all 
these sort of potential data leaks?
    Mr. Gruenberg. If I may, rather than answering that off the 
top, can I come back to you on that point?
    Mr. Foster. Okay. Do you know in a general sense how your 
security compares to the security, say, at a large, 
sophisticated law firm or a large bank where they hold equally 
sensitive information. For example, do they allow employees to 
telecommute with sensitive data on laptops with what level of 
encryption, et cetera? As a very high-level question, could you 
sort of compare the fraction of your budget devoted to 
cybersecurity compared to, you know, what a large, 
sophisticated bank, for example, or large law firm would do? 
That would be a very useful comparison to find out whether 
you're underinvesting in this or whether it's just a problem 
that everyone is wrestling with.
    Now, in relation to the removal of the portable storage 
devices there is an enormous data leak that everyone carries 
around in their pocket, and it's the very simple way of just 
taking pictures of screenshot. If you have access to read the 
clear text of a document, you can take a picture of it, and 
unless you plan to confiscate cell phones, it's very hard. 
There's a large class of insider attacks that you can imagine 
based on simply the existence of a cell phone in the employee's 
possession, and, that is the sort of thing they do. If you're 
talking about nuclear bomb designs, you cannot carry cell 
phones in. Is that the level of security that you plan on 
investing in or is there some intermediate level and you just 
live with the risks that are allowed that are intrinsic in that 
lower level?
    Mr. Gruenberg. You raise an important point. We've 
addressed the removable media issue. We're in the process of 
addressing paper production and controlling paper production as 
well. The issue you raised of snapping of a photograph of a 
screen and taking it with you is an issue we need to address 
but that's a significant challenge.
    Mr. Foster. And a large number of secret ways of streaming 
the data out if you're allowed to download an executable on a 
laptop you own. There are many ways to communicate with similar 
programs on a cell phone that are going to be difficult to 
detect.
    So I was just was wondering if you see the endpoint here to 
be the endpoint comparable to nuclear security or comparable to 
best practices at a big bank.
    Mr. Gruenberg. That's a--you know, I don't know--I would 
like to think we would at a minimum achieve best practices for 
both government agencies and the private sector. I think that 
would be a reasonable objective for us.
    Mr. Foster. And are you looking at the tradeoff between 
just cloud-based everything and just thin clients with no real 
data storage locally, which is in some people's view the best 
practice endpoint for this, versus the dangers of even having 
employees with encrypted data that they sometimes can forget to 
encrypt on their laptops and carry home and lose the laptop and 
that sort of fun class of data breach.
    Mr. Gruenberg. That's also a set of issues we have under 
review.
    Mr. Foster. Okay. Are there conferences where all the 
federal agencies and the best and brightest in industry get 
together and identify the best practices in this pretty 
terrifying environment?
    Mr. Gruenberg. There has been an enormous amount of 
interaction first among the federal agencies related to 
cybersecurity and expanded efforts for interaction with 
industry. I think there's an understanding that there needs to 
be a level of collaboration between the public and private 
sectors to begin to get arms around the cyber issue, and there 
are committees that have been established both made up of the 
federal agencies and made up of industry that also interact 
together in terms of trying to increase cooperation.
    Mr. Foster. So you're not really going off in a corner and 
inventing something new? You're collaborating with what is 
really a government-wide--at least government-wide if not 
industry-wide?
    Mr. Gruenberg. I think that's fair to say.
    Mr. Foster. Okay. Let's see. One last thing if I may, one 
last question. Can you contrast your level of security compared 
to the very, very large number of state banking regulators? 
Would you hazard a guess as to whether there're likely state 
bank regulators out there that have comparable vulnerabilities?
    Mr. Gruenberg. Well, it's a fair question. I'm not sure I'm 
in a position to comment on it.
    Mr. Foster. Okay.
    Mr. Gruenberg. I would say as a general matter, it wouldn't 
surprise me if our level of investment were greater given the 
resources, but you'd really have to look into it.
    Mr. Foster. All right. Thank you.
    Yield back.
    Mr. Loudermilk. The Chair recognizes the gentleman from 
Oklahoma, Mr. Bridenstine.
    Mr. Bridenstine. Thank you, Mr. Chairman.
    Mr. Gruenberg, you have said that the FDIC takes seriously 
its commitment to improving its cybersecurity posture. Is that 
correct?
    Mr. Gruenberg. Yes, sir.
    Mr. Bridenstine. And you have said that improving the 
cybersecurity posture of the FDIC is one of your highest 
priorities. Is that correct?
    Mr. Gruenberg. Yes, sir.
    Mr. Bridenstine. So why is it that you don't do strategic 
IT planning?
    Mr. Gruenberg. Well, it's my understanding that under the 
CIO's direction that that is done, but let me check on that to 
be sure that's an accurate answer.
    Mr. Bridenstine. Mr. Gibson, do you agree that strategic IT 
planning is done at FDIC?
    Mr. Gibson. Sir, I've never really looked at that question. 
If you could help me out a little bit, what exactly do you mean 
by ``strategic IT planning''?
    Mr. Bridenstine. Well, the idea that we're not reactionary 
but instead we're planning ahead of time and not just reacting 
to every individual incidence.
    Mr. Gibson. Well, one of the subjects that we intend to 
look at in the very near future is the whole question of 
enterprise architecture. Enterprise architecture basically is 
understanding the design of the FDIC's network and its overall 
IT system and its IT structure. We've commented for years that 
we thought that more resources or effort needed to be placed in 
the enterprise architecture area. We intend to look at it 
specifically now because we do place great value on that in 
terms of being able to direct the resources and investment that 
are being made and understand better the networking and the 
security components of the environment that we're looking at. 
To the extent that that helps answer the question, it's 
something that we'll be looking at very specifically in the 
near future.
    Mr. Bridenstine. That's perfect.
    And Mr. Gruenberg, will you commit to evaluating the entire 
IT enterprise architecture and moving forward with strategic IT 
planning?
    Mr. Gruenberg. Yes, Congressman, I think that's an 
excellent suggestion. Thank you.
    Mr. Bridenstine. Okay. Mr. Chairman, I yield back.
    Mr. Loudermilk. The Chair recognizes the gentleman from 
Colorado, Mr. Perlmutter, for five minutes.
    Mr. Perlmutter. Thanks, Mr. Chair.
    So my first question to you two is, how does Bell's theorem 
or the Drake theory apply to the breach? Oops, that was for the 
astrophysicist from a couple days ago. I apologize for that.
    All right. I'll stop messing around.
    Mr. Gruenberg. I was looking over at Fred----
    Mr. Perlmutter. I'll stop messing around.
    First, like Mr. Foster, I want to thank both of you for the 
job that the FDIC does. We came through a very difficult time, 
2008, 2009 and 2010, expected a lot--I expected more failures, 
a lot of work between the insurance corporation and the banks 
to stabilize them and grow the economy. So the big picture, 
thank you very much.
    All right. So now I'm just going to go back to sort of how 
I can understand this, and there's been somebody who's a thief, 
he's robbed you, and then the question is, what was taken, and 
who and how many people have been robbed or otherwise hurt, and 
then what are you going to do about it. So I assume in these 
different instances, somebody--the robber, the thief is facing 
some criminal liability of some sort or another. Am I wrong?
    Mr. Gibson. Sir, we have a number of investigations that 
are currently open with regard to a number of the matters that 
we're talking about here today. I don't know what the ultimate 
outcome of those will be but the goal was to determine whether 
there is criminal responsibility that can be imposed on 
anybody, and if there is, we'll pursue it with our partners in 
the Department of Justice.
    Mr. Perlmutter. If I went back to my law firm and one of my 
partners or one of the staff took a file how would I respond? 
I'd say give it back but the problem you all face is that when 
somebody takes a file, they take a million files, and I think 
that's the purpose of today's panel, to try to understand how 
far and wide these things are, and how you're building your 
defenses to that disgruntled employee or somebody who made a 
mistake and bang, it's all out there.
    So you know, some of the questions, Mr. Chairman, have been 
directed to you about reprimands within the organization to the 
guy who just took over and is trying to figure out where the 
vulnerabilities are and who were the thieves I don't understand 
why reprimanding him at this point makes any sense. But I do 
understand the Committee's concern that if the FDIC is somehow 
robbed, that one, we need to check your defenses, but two, 
somebody's going to pay for it, you know, Edward Snowden, so it 
isn't like you're all by yourselves getting robbed. I mean, the 
NSA, the CIA, the Office of Personnel, Anthem Blue Cross, 
Target, Chase, you name it, everybody's been hacked. But you 
are the backstop for banks. So what are you doing to try to 
build up your defenses?
    Mr. Gruenberg. Well, Congressman, in this set of 
incidences, for all of these breaches, just from a technology 
standpoint, the underlying vulnerability, as I indicated, was 
allowing the use of so-called removable media--flash drives, 
thumb drives--which allowed an individual to download sensitive 
information on to a device like this and basically walk off 
with it.
    Mr. Perlmutter. All right.
    Mr. Gruenberg. That was the--and we've now, it's fair to 
say, discontinued the use of those devices.
    Mr. Perlmutter. Let me ask you this. The three of us are 
lawyers, all right? So how is it--I understand the 
investigations are proceeding, but if somebody takes off with a 
thumb drive, has any of this been put to nefarious use? Because 
if it has, then that guy should be under indictment or in jail. 
What really is happening there?
    Mr. Gruenberg. On the criminal side, I really should leave 
it to the IG because that's the IG's responsibility. I think 
in--well, Fred, do you----
    Mr. Gibson. So I guess the best way that I can answer that 
question is to say that we are pursuing cases where we believe 
that there is a basis for bringing them and we're just not at a 
point yet where we can disclose publicly exactly what the 
status of that case is, but yes, we are pursuing investigations 
in the specific areas you're concerned about.
    Mr. Perlmutter. All right, well thank you, gentlemen. Thank 
you for your service to the country, and I yield back.
    Mr. Loudermilk. The Chair recognizes the gentleman from 
Alabama, Mr. Palmer.
    Mr. Palmer. Thank you, Mr. Chairman. I have a slide, if we 
could get that slide up, please?
    [Slide.]
    Very good. Thank you.
    I want to walk through this with you. I'm going to read 
this transcript. You can read it if you can see it well enough 
on the slide. This was between FDIC personnel in regard to the 
breach, and it says, ``Just to be clear here for the record, 
there was a penetration of the FDIC network system generally by 
an outside party that was malicious, right? Correct?'' and the 
answer was, ``Yes.'' And the FBI alerted the FDIC, the 
appropriate people within the FDIC, that this was the case, and 
one of the potential fixes or appropriate actions was to shut 
down or turn off the entire FDIC system to eradicate the 
intruder, and the answer was yes, that was recommended. Okay, 
now after that, it was--the FDIC employee said, ``Now, after 
that, it was kept--I'm out of the loop except for Ned came into 
my office to tell me that this incident that Russ Pittman said: 
This can't get out here, this breach information. We can't do 
anything to jeopardized''--that's their word--''the chairman 
getting, when they vote, getting approved for because it's''--
and the questioner, ``A Senate-approved position? Confirmed.'' 
``Yes.'' You can take down the slide.
    Mr. Gruenberg, are you aware that the FDIC employee 
attempted to cover up the fact that a foreign nation hacked 
into FDIC systems in an effort not to jeopardize your 
confirmation as chairman by the U.S. Senate?
    Mr. Gruenberg. No, sir.
    Mr. Palmer. You are not aware of that?
    Mr. Gruenberg. No, sir.
    Mr. Palmer. You've never been made aware of it?
    Mr. Gruenberg. Never, sir.
    Mr. Palmer. Are you concerned that the----
    Mr. Gruenberg. There was a report that came out yesterday. 
That was the first that I had been made aware.
    Mr. Palmer. So no one within the FDIC discussed this with 
you even before the hearing that this might come? The first 
time you saw it was yesterday in the media?
    Mr. Gruenberg. Yes, and when that--the committee interim 
report was released and there was a reference to it. That was 
the first I became aware of it.
    Mr. Palmer. So you testified that you've never--you did not 
hear that before yesterday?
    Mr. Gruenberg. No, sir.
    Mr. Palmer. Okay. Are you concerned that the FDIC officials 
attempted to shield details of the incident from knowledge of 
the individuals outside the FDIC including the Inspector 
General until after your confirmation? Does that concern you?
    Mr. Gruenberg. I understand this was represented. I can't 
speak to the accuracy----
    Mr. Palmer. We can give you a copy of the transcript.
    Mr. Gruenberg. I understand, but, you know, it--I can't 
speak to the accuracy. If it was accurate, certainly.
    Mr. Palmer. When did you first learn that the breach 
occurred?
    Mr. Gruenberg. Well, this goes back to an incident in 2010 
and 2011, I believe.
    Mr. Palmer. Were you aware of it then?
    Mr. Gruenberg. I was made aware of it, I believe, for the 
first time in 2011, and as you may be aware, our Inspector 
General--undertook an investigation of this and issued a report 
in 2013. I believe the finding of the report as I indicated in 
my opening statement, is that in regard to this incident, both 
myself and other members of the Board and senior executives 
were not fully informed.
    Mr. Palmer. I've got a couple other questions. Are you 
confident that the FDIC's current cybersecurity posture can 
prevent a similar breach from occurring? It's a yes or no.
    Mr. Gruenberg. If I may, as the--I think we are improving 
our systems. I think--I want to say in light of OIG reports--I 
think it's fair to say we are working hard to address the 
issues identified. So I don't want to----
    Mr. Palmer. So you're not totally certain that it's secure?
    Mr. Gruenberg. I think----
    Mr. Palmer. Let me ask you this----
    Mr. Gruenberg. Congressman----
    Mr. Palmer. --in the context of how these breaches 
occurred, if I may, does the--where the employees taking 
information on their way out after they've left employment, 
does the FDIC have an employee handbook manual?
    Mr. Gruenberg. I would have to check but I believe--I 
assume we have something like that.
    Mr. Palmer. Based on that answer, I would assume you 
haven't read it.
    Mr. Gruenberg. I can't say I've looked at it, sir.
    Mr. Palmer. I think it might be a good idea if you became 
familiar with it and make sure that you have a policy in there 
that is clear that it is prohibited for any employee upon 
leaving their employment that they cannot take any information 
with them, and I think if that had been clearer, that might not 
have happened. It may have happened anyway, particularly with a 
disgruntled employee.
    Mr. Gruenberg. Congressman, if I may say, I do believe 
there is such a requirement so that when an employee leaves the 
agency, they have to sign a statement to that effect.
    Mr. Palmer. They do?
    Mr. Gruenberg. Yes.
    Mr. Palmer. Well, were these people prosecuted? Because 
that's a prosecutable offense.
    Mr. Gruenberg. That's what the IG is looking into, I 
believe.
    Mr. Palmer. Okay. Let me say this, Mr. Chairman, and I'll 
wrap it up.
    I find it interesting that some at the FDIC apparently 
thought your confirmation as Chairman was more important than 
taking immediate action to protect almost 31,000 banks and 
160,000 individuals, as it turns out the total here. It's as 
though these banks and their depositors and customers were 
acceptable losses, collateral damage, to ensure that you 
would--there would be no obstacles to your confirmation. That 
concerns me. That is indicative of some political calculations 
within the FDIC that in my opinion were totally inappropriate. 
I yield back.
    Mr. Loudermilk. I thank the gentleman.
    Mr. Gruenberg, as you're aware, this hearing is about 
security breaches, cybersecurity breaches, and your efforts to 
mitigate future breaches, but I'm growing more concerned of the 
lack of preparation because quite often, many times in most 
every witness, you've said let me get back to you on that, and 
in one case, what really concerns me, you said you may get back 
to us with that----
    Mr. Gruenberg. I'll get back on every point, sir. I didn't 
mean to----
    Mr. Loudermilk. Oh, okay. That helps a little bit. But also 
getting a little more concerned, we don't expect you to know 
the answer to every intricacy in there but not knowing whether 
you even have a policy handbook is concerning, and a lack of 
staff here as advisors with you is--may lead some to believe 
that maybe you weren't as prepared or take this as seriously as 
we think you should.
    With that, I recognize the gentleman from Virginia, Mr. 
Beyer, for five minutes.
    Mr. Beyer. Thank you, Mr. Chairman.
    I believe we can all agree that the FDIC has suffered from 
some serious data breaches and that some of their responses to 
the Committee were initially not complete and that the original 
analysis of these major data breaches by senior FDIC officials 
was not adequate or fully accurate. However, I don't agree that 
we can or should infer from the facts that the Committee has 
gathered to date as the Majority has clearly done that 
individual FDIC employees intentionally lied to this Committee 
or have engaged in deliberate obstruction of this Committee's 
investigation.
    Unfortunately, the Majority appears to have selectively 
pulled some information that helps them paint that narrative. 
They ignore some records and have intentionally not interviewed 
certain witnesses who may have presented a fuller understanding 
of the agency's actions that the Majority has called into 
question.
    As one key example, the Majority staff report refers to one 
FDIC official who the report stated, ``deliberately tried to 
prevent FDIC attorneys from creating records that would be 
responsive to the Committee's request in this investigation.''
    But the initial request not to create emails regarding 
certain investigations of the agency's investigation was 
documented in an email from one FDIC employee on October 29, 
2015, which was long before the Science, Space, and Technology 
Committee began an investigation, long before we were even 
aware of the breach.
    So while this email raises legitimate questions about why 
FDIC employees were directed not to put certain information in 
emails--that's certainly inexcusable--it occurred one day 
before the OMB memo 1603 was issued and 4 months before the 
Committee even became aware of the data breach at the FDIC. So 
to suggest this direction was part of an effort to obstruct the 
Committee's investigation makes no sense, is frankly misleading 
when you examine all the records the Committee has obtained.
    So I'd like to seek unanimous consent to enter this email 
of October 29, 2015, into the record.
    Mr. Loudermilk. Without objection, so ordered.
    [The information appears in Appendix II]
    Mr. Beyer. Thank you, Mr. Chairman, and Mr. Chairman 
Gruenberg, I read carefully--I listened to you but I also read 
the 15-page statement that you submitted for the record, and I 
just wanted to thank you for not the disasters before but for 
taking full responsibility, for trying to be as clear and 
transparent as possible, for coming together with a 
comprehensive plan which takes up most of that 15 pages, and 
near as I can tell, fulfilling all of the Inspector General's 
recommendations. I thought Chairman Smith's opening question, 
which is to the Inspector General, are you as the leader of the 
FDIC doing everything that they recommended, and let me, 
Inspector General, ask you that one more time to make sure that 
we're all on the same page.
    Mr. Gibson. Sir, they gave us a series of responses to our 
recommendations that we consider to be responsive. What we'll 
be doing is, we'll be following up to monitor the 
implementation of the things that the FDIC has indicated they 
will do and to determine whether they've been effective.
    Mr. Beyer. Great, great. We would only expect that you 
would continue to make sure that the chairman and his team 
follows through on the recommendations you've made.
    Mr. Chairman, in the back and forth with my good friend 
from Alabama, where you were taking some heat about the 
employees who were shielding you through the nomination 
process, were you aware that they were shielding you, and did 
you take any personnel action once you became aware?
    Mr. Gruenberg. I certainly was unaware, Congressman, as I 
indicated. I learned about it for the first time yesterday, and 
I just would be cautious. I understand it was asserted by an 
individual in an interview, but there hasn't been a review of 
what actually occurred here, so I'd be cautious, you know, 
about the accuracy of the representation.
    Mr. Beyer. Okay. Good. Thanks. But you certainly would 
agree that this is inappropriate?
    Mr. Gruenberg. Oh, no question, if indeed it's true.
    Mr. Beyer. Yeah. Thanks. Much has been made about the seven 
people that took the records out, the excess of 10,000 per 
person. What is the long-term follow-up plan to make sure that 
the data breaches have no ongoing effort? You know, sometimes 
the records are stolen by whomever, and it could be 2, 3, four 
years before they try to apply for a credit card or a car loan 
or something like that.
    Mr. Gruenberg. Well, as a threshold, I think we're 
addressing the technological vulnerability related to the 
removable media that sort of underlay each of these incidences, 
so hopefully as a threshold, that'll be helpful in addressing 
it. We'll also be implementing policies and procedures to 
carefully monitor any activity and have a very strong system of 
controls relating to any employee who may be separating from 
the agency.
    Mr. Beyer. But I'm specifically concerned about the records 
that were already out there, not breaches still to happen but 
breaches that already did occur.
    Mr. Gruenberg. Yeah. For the ones that have been 
identified, and we have recovered the devices, we can't say 
with certainty that there was no dissemination. I don't know 
that we can ever demonstrate that conclusively. At least thus 
far, we haven't had evidence of dissemination.
    Mr. Beyer. Okay. Great. Thank you, Mr. Chairman.
    Mr. Chairman, I yield back.
    Mr. Loudermilk. I thank the gentleman from Virginia, and 
Mr. Gruenberg, since you are going to get back with us on some 
things, would you please provide this Committee the copy of the 
handbook that was mentioned earlier?
    Mr. Gruenberg. Yes.
    Mr. Loudermilk. Also, notice to the members of the 
Committee, we do intend on doing another round of questioning 
for those--this is an important matter. We'll make sure 
everyone gets their ample opportunity to ask their questions.
    With that, I recognize the gentleman from Louisiana, Mr. 
Abraham, for five minutes.
    Mr. Abraham. Thank you, Mr. Chairman.
    Mr. Gruenberg, when did you first become aware of the 
Florida incident where 10,000 people's records were 
compromised? When did you become aware?
    Mr. Gruenberg. I think I was informed in-- the incident 
occurred on October 15th. It was identified on October 23rd. I 
believe I was notified for the first time in November, I think 
November 19th.
    Mr. Abraham. So about a month?
    Mr. Gruenberg. Yes, sir.
    Mr. Abraham. What was your role in deciding whether to 
report that to Congress or not?
    Mr. Gruenberg. I didn't. As the IG noted in its report, I 
didn't have a role in that.
    Mr. Abraham. So I mean, you couldn't have been proactive? 
Or could you have been proactive in reporting that to Congress 
if you so chose?
    Mr. Gruenberg. It was a judgment made by our CIO working 
with the data breach management team----
    Mr. Abraham. And that was the gentleman that took the hand 
on November 2nd?
    Mr. Gruenberg. Yes, sir.
    Mr. Abraham. And I understand that he was new to the job 
and he has been in the job eight or nine months and that he's 
learning the job but, you know, I might suggest this is not an 
on-the-job training job. He should have come very well vetted 
and prepared to do the job on day one. So it does concern me 
that, you know, we're taking this type of attitude--well, he's 
learning the job, so to speak, and you know, we hate it that he 
was thrown into the fire that early. I mean, if he would have 
been thrown into the fire the day he got on the job, he should 
have been able to do the job.
    Mr. Gruenberg. It's a fair point, Congressman. He came, as 
you can--if you reviewed his bio--with considerable experience 
in this area. I was referring to his learning a new agency.
    Mr. Abraham. Well, I understand that, but again, these are 
questions you ask in a pre-employment brief, and he knew the 
job before he took the job.
    Did you ever resist the OIG's suggestion to report the 
Florida incident as a major incident to Congress?
    Mr. Gruenberg. No, Congressman.
    Mr. Abraham. Okay. Mr. Chairman, I yield back.
    Mr. Loudermilk. The Chair recognizes the gentleman from 
Ohio, Mr. Davidson, for five minutes.
    Mr. Davidson. Thank you, Mr. Chairman. Thank you both for 
coming here, and I appreciate the work that you do. The FDIC 
does have a nice track record of success in securing our 
financial institutions. I'm very concerned about the recent 
record of securing our data which is at stake, so thank you for 
taking that seriously.
    And one of the questions I've got going back to this 
Florida incident, Mr. Gibson, did your staff find that the 
FDIC's representations of the Florida breach were inadvertent, 
non-malicious, and the breacher was cooperative? Did you find 
those as accurate statements?
    Mr. Gibson. No, sir, we wouldn't agree with that.
    Mr. Davidson. Mr. Gruenberg, why would your staff provide 
that information during the Committee's briefing to Congress 
that they were simply trying to understand how it actually 
occurred?
    Mr. Gruenberg. Congressman, I believe--and I understand the 
IG's perspective on this. I think the assessment made rightly 
or wrongly by our CIO in conjunction with other staff in the 
Legal Division was that it was inadvertent. It may have been a 
misjudgment but that was the judgment--the conclusion that was 
reached.
    Mr. Davidson. And just to restate it, I think it's been 
covered, but to be very clear, the individual at the center of 
this was not cooperative and was--since it was not inadvertent. 
It was therefore advertent. It was non-malicious, therefore, it 
was malicious. Has there been any action taken against this 
individual?
    Mr. Gruenberg. Well----
    Mr. Gibson. Sir, she's a former employee, so from the 
FDIC's perspective, I assume there really isn't any action that 
they're able to take, and again, all I can say with respect to 
our ongoing work is that there are a number of matters that 
we're looking at that haven't reached the stage where we can 
discuss it publicly.
    Mr. Davidson. You don't feel that there's a crime that has 
been committed here?
    Mr. Gibson. Sir, whether I feel there's a crime or not 
probably isn't the issue. The question is whether an individual 
was engaged in behavior that the Department of Justice would 
agree constitutes a crime and they can bring an indictment 
against someone.
    Mr. Davidson. We've seen that seems to be a pretty high bar 
lately.
    What would happen--you guys cover our banks and our 
financial institutions, and really audit many of these same 
transactions. So what would happen if a financial institution 
had a similar data breach?
    Mr. Gruenberg. I asked that question, Congressman. I 
think--a couple of things. They would have to identify the harm 
or risk of harm, they would have to notify customers that are 
impacted if there is a risk of harm, and there would be an 
expectation that they would notify their regulator.
    Mr. Davidson. And they would be very clear under Dodd-Frank 
in particular that they would notify you, correct?
    Mr. Gruenberg. I believe it's actually under the Graham-
Leach-Bliley Act that there was a provision relating to this.
    Mr. Davidson. Right. And how would--how would you react if 
a financial institution provided patently false information to 
you during your investigation? What sort of course of action 
would you have in following up with that institution?
    Mr. Gruenberg. I think the procedure would be that there 
would be a follow-up at the next examination. We would review 
the handling of the case. We would review their systems, to see 
whether there was, you know, a failure. If there was evidence 
of intentionality in terms of not reporting that, that would be 
an additional matter we'd have to take into consideration.
    Mr. Davidson. What sort of signs would you look for to say 
that they were actually taking the matter seriously? Would you 
consider it serious if they kept all the same personnel and 
practices in place?
    Mr. Gruenberg. I think the threshold--and again, I'm not an 
examiner, but I'll just try to respond--I think would be what 
systems do they have in place and the effectiveness of those 
systems to deal with these kinds of issues.
    Mr. Davidson. Here's the concern I've got coming into the 
meeting, and frankly, only made worse during the conversations, 
is that we're focusing on one or two individuals, and really, 
the IT department at your agency can't be as strong as one new 
employee. You've got a robust staff, and so I'd be curious to 
know what sort of recommendations and dialog and, frankly, from 
the whistleblower information, it seems like there's really not 
a lot of support for some of the direction your new CIO is 
going. And that doesn't mean that there's--that it's accurate, 
to your point. I appreciate your desire to look into it. But 
I'd also ask you to look into the culture because, frankly, it 
sounds like this culture is perhaps maybe partisan cover-ups 
and maybe just concern that it's impossible to fail. There's a 
lot of pressure to perform, and so there's cover-ups there, and 
so a culture that doesn't provide the kind of transparency is 
not likely to be able to deliver the kind of results that your 
mission requires, and so I'm very concerned about that.
    Thank you. I yield back, Mr. Chairman.
    Mr. Loudermilk. The Chair recognizes the gentleman from 
Illinois, Mr. LaHood, for five minutes.
    Mr. LaHood. Thank you, Mr. Chairman, and I want to thank 
both of you for being here today. I appreciate it very much.
    I guess I want to just focus a little bit on some of the 
transcript interviews that have been conducted with FDIC 
employees seem to indicate that there has been a concerted 
effort by the legal department at FDIC on instructing employees 
on how to respond when it comes to cybersecurity breaches as it 
relates to emails, and it seems like a real effort, Mr. 
Gruenberg, to limit the exposure to Congressional and FOIA 
requests, and that's really concerning to the Committee and to 
us because what that leads us to believe, or me to believe, is 
that you're hiding facts or circumstances surrounding these 
breaches, and particularly when it comes from the legal 
department because that's who your employees rely upon in your 
department, and I guess just from a foundational standpoint in 
looking at these very serious cybersecurity breaches, Mr. 
Gruenberg, do you take transparency seriously at the 
department?
    Mr. Gruenberg. Yes, Congressman.
    Mr. LaHood. And are you committed to working with this 
Committee and the Inspector General to prevent breaches in the 
future?
    Mr. Gruenberg. Yes, very much so.
    Mr. LaHood. And as Chairman of the FDIC, you speak on 
behalf of the Agency. Is that correct?
    Mr. Gruenberg. Yes, but just acknowledging I have a board 
that I have to consult and work with as well.
    Mr. LaHood. And can you--I want to get into a couple of 
these interviews that were done. Can you give us--you're a 
lawyer, correct?
    Mr. Gruenberg. Yes, sir.
    Mr. LaHood. And in fact, you served as Senior Counsel to 
the Senate Banking Committee, correct?
    Mr. Gruenberg. Yes, sir.
    Mr. LaHood. So the legal department instructing FDIC 
employees not to discuss matters related to cybersecurity and 
breaches, why was that being done?
    Mr. Gruenberg. I understand that was represented in the 
report. If I may, let us look into it and come back to you on 
it.
    Mr. LaHood. Well, that's hard to take that answer when your 
legal department is giving that advice.
    I want to direct your attention to a specific transcript. 
It's up on the screen there. This is an excerpt for--these are 
questions that were asked, and the nice thing about transcripts 
is, it gives us the questions and the answers that were given. 
``Are you aware of any instructions given by anyone at the FDIC 
to not discuss certain subject matters in an email?'' That's 
the question. Answer: ``Yes.'' Question: ``Could you shed a 
little light on that?'' That's the question. Answer: ``I 
received the same instructions directly from Roberta McInerney, 
and Roberta McInerney's instructions to me were, quote, "Do not 
discuss deliberations over the applicability or implications of 
OMB 1603 in an email.''" Question: ``You mentioned that 
instructions from Roberta McInerney gave to you. Was that 
directly to you?'' Answer: ``Yes. Roberta McInerney gave those 
instructions directly to me.''
    So I look at that from employees, and that seems to be a 
pattern here. Were you aware that she was giving those 
instructions to FDIC employees?
    Mr. Gruenberg. No, I wasn't, Congressman.
    Mr. LaHood. When you found out she was doing that, what did 
you do?
    Mr. Gruenberg. This was represented, I gather, in an 
interview by one of our employees with the Committee, and so it 
is now something that we will----
    Mr. LaHood. When did you become aware of it?
    Mr. Gruenberg. I know it was contained in the report that 
was released yesterday. There may have been emails that we 
provided, so I'd have to check specifically, but that's 
something we will have to----
    Mr. LaHood. When did you become aware that she was doing 
this?
    Mr. Gruenberg. I can't tell you specifically. I'd have to 
go back and check the record.
    Mr. LaHood. Would you--I mean, just can you give us a time 
frame? Would it have been two months ago, a month ago?
    Mr. Gruenberg. It would have been--I really have to check 
but it would have been--I'd have to look at the production that 
we made to the Committee when we----
    Mr. LaHood. I'm asking for a time frame when you became 
aware that she was instructing employees to do this.
    Mr. Gruenberg. I would assume in the last few weeks but I'd 
have to check on it.
    Mr. LaHood. When you found that out, what did you do?
    Mr. Gruenberg. We haven't taken any action on it yet, sir.
    Mr. LaHood. So when you found out, you have not done 
anything?
    Mr. Gruenberg. Not thus far.
    Mr. LaHood. Were you complicit in those instructions?
    Mr. Gruenberg. No, sir.
    Mr. LaHood. Did you ever advise employees in your 
department to do what Roberta McInerney did?
    Mr. Gruenberg. No, sir.
    Mr. LaHood. Does every employee at the FDIC take an oath of 
office?
    Mr. Gruenberg. I believe so.
    Mr. LaHood. I want to put up on the screen there the oath. 
I believe this is the oath that's taken by employees. I believe 
you took this oath and everybody else there. You're familiar 
with that, correct?
    Mr. Gruenberg. Yes, sir.
    Mr. LaHood. And do you believe that your employees are 
abiding by that oath of office?
    Mr. Gruenberg. I believe so.
    Mr. LaHood. And can you certify to the Committee that all 
your employees are abiding by this oath?
    Mr. Gruenberg. I don't know that I have the capacity to do 
that.
    Mr. LaHood. Thank you. Those are all my questions, Mr. 
Chairman.
    Mr. Loudermilk. I thank the gentleman from Illinois, and I 
also may add that the questions by Mr. LaHood is corroborated 
by the email that was entered into the official record by Mr. 
Beyer that this was indeed happening, so I thank the gentleman 
from Virginia for that.
    I now recognize the gentleman from Texas, Mr. Weber, for 
five minutes.
    Mr. Weber. Thank you, Mr. Chairman. That was an interesting 
discussion between you and Mr. LaHood, Mr. Gruenberg. I might 
give you some unsolicited advice. You can actually download the 
manual onto a thumb drive and walk out with it probably as some 
other things too if you want.
    Did you become aware of that information before the report 
was released, you talked about yesterday, you said a few weeks?
    Mr. Gruenberg. I'd really need to check just to be sure I 
give you accurate information.
    Mr. Weber. Well, that's very, very interesting.
    You have--you said earlier in a discussion with Randy 
Neugebauer in an exchange that you were careful about 
representing yourself as being with technology or something to 
that effect. So who would--you're aware that the Insider Threat 
program is aimed at identifying potential employees. Since 
you're not a technology person, who advises you on that 
program?
    Mr. Gruenberg. The--we have both the CIO and our Division 
of Administration is responsible.
    Mr. Weber. Okay. Is that program contained in the manual? 
You probably don't know because you haven't read the manual.
    Mr. Gruenberg. No, that's--I don't believe--it's a program 
we're in the process of establishing.
    Mr. Weber. So it was established at one point but you 
halted it?
    Mr. Gruenberg. No, it was in the process of being 
developed.
    Mr. Weber. So it was being developed and you halted the 
development?
    Mr. Gruenberg. Well, I believe the term used in the IG's 
report was ``stall.'' I think there was a process of developing 
the program over a period of time. My understanding of what 
occurred is that there was a lack of follow-through in bringing 
it to completion.
    Mr. Weber. Who advises you on that program's progress or 
lack thereof?
    Mr. Gruenberg. It would be, I think, both our Division of 
Administration and our CIO.
    Mr. Weber. Can you give us the name?
    Mr. Gruenberg. I can get those for you, sure.
    Mr. Weber. So you didn't have any discussion with 
individuals that you know the name of that said look, the 
program needs to be halted?
    Mr. Gruenberg. Oh, no, no. I think there's--no, sir.
    Mr. Weber. So you just halted it on your own without 
conferring with anybody?
    Mr. Gruenberg. No, as I indicated, my understanding is that 
the program was in development and it was not brought to 
completion in a timely way.
    Mr. Weber. So who halted that program?
    Mr. Gruenberg. As I said, I don't know that it was halted. 
I think the term used in the IG's report----
    Mr. Weber. Okay. So who--it quit being developed. Now we're 
parsing words.
    Mr. Gruenberg. I think it never stopped being developed. I 
think it slowed down. It wasn't brought to fruition in a timely 
way.
    Mr. Weber. But nobody advises you on this program?
    Mr. Gruenberg. I think both the Division of Administration 
and the CIO----
    Mr. Weber. But you'd have to have one person who was an IT 
expert, right, that actually knew that program inside and out 
and could come report to you?
    Mr. Gruenberg. We have a security group in our Division of 
Administration that I think is the lead on that.
    Mr. Weber. Who do they report to?
    Mr. Gruenberg. They would report to the Director of the 
Division.
    Mr. Weber. And who would that Director of that Division 
report to?
    Mr. Gruenberg. The Director reports to our Chief Financial 
Officer.
    Mr. Weber. And who would that Chief Financial Officer 
report to?
    Mr. Gruenberg. To me.
    Mr. Weber. To you. And you had no communication up that 
line to talk about that program and it needed to be stopped 
being developed or halted or whatever parsed word we want to 
use?
    Mr. Gruenberg. No, sir.
    Mr. Weber. No communication whatsoever?
    Mr. Gruenberg. No, I was briefed on the program, and it was 
an understanding that we wanted to develop it in a careful way.
    Mr. Weber. And you were briefed by who?
    Mr. Gruenberg. By the individuals I mentioned.
    Mr. Weber. And the names?
    Mr. Gruenberg. The Director of our Division of--I'd have 
to--I should check, you know, who participated in the briefing 
to be sure I----
    Mr. Weber. But you did name two, Director of the Division 
and the CFO, I think.
    Mr. Gruenberg. Yeah, I would want to just check for 
accuracy as to who took part in the briefing just to be sure.
    Mr. Weber. So you're not sure that either one of those 
people briefed you?
    Mr. Gruenberg. I believe they did. I just want to check the 
record to be sure I'm giving you accurate information.
    Mr. Weber. Okay. And you can get back to us in writing with 
that?
    Mr. Gruenberg. Certainly.
    Mr. Weber. Mr. Gibson, do you understand the Insider 
Threat--maybe you could brief Mr. Gruenberg. Do you understand 
the Insider Threat program?
    Mr. Gibson. I try to.
    Mr. Weber. Okay.
    Mr. Gibson. Do I understand it? Yeah, I mean, the basic 
purpose of the program----
    Mr. Weber. Do you know why it was halted last fall, or 
not--``halt'' is not the right word--no longer developed?
    Mr. Gibson. We had a discussion about that a little earlier 
in the hearing today, and, you know, basically we've heard two 
reasons for that. You know, management believed that the 
program was moving too far, too fast, too quickly, that it 
needed to, you know, develop some standard operating procedures 
and processes and so forth. The people who were a lower level 
of the organization believed that they were essentially told 
stop, and----
    Mr. Weber. Is there communication about that? When you said 
they believed they were told to stop, was there communication 
about that we can get?
    Mr. Gibson. There were a couple of briefings, as I recall.
    Mr. Weber. Any emails?
    Mr. Gibson. None that I'm aware of, sir.
    Mr. Weber. Okay. Would you recommend that it be unhalted or 
un--whatever the term you want to use?
    Mr. Gibson. I think the most significant recommendation in 
one of the audits that we've completed is that the FDIC 
establish a formal Insider Threat program.
    Mr. Weber. Okay. Chairman, did you say there's going to be 
a second round of questioning?
    Mr. Loudermilk. Yes, we will, until we get through everyone 
or votes are called, which we anticipate is going to be about 
40 to 45 minutes.
    Mr. Weber. Well, then I'll go ahead and yield back. Thank 
you.
    Mr. Loudermilk. The Chair recognizes the gentleman from 
Illinois, Mr. Hultgren, for five minutes.
    Mr. Hultgren. Thank you, Mr. Chairman. Thank you both for 
being here.
    Mr. Gibson, I want to commend your good work on these audit 
reports. Your team has done an outstanding job.
    Mr. Gibson. Thank you, sir.
    Mr. Hultgren. I want to point out, however, that the FDIC 
has been without a Senate-confirmed Inspector General for over 
a thousand days. Since September 2013, there's only been an 
Acting Inspector General. Congress, the House in particular, 
relies on the IGs to be independent watchdogs. To a certain 
extent, they are our eyes and ears within the department or 
agency.
    Mr. Gibson, would having a Senate-confirmed IG empower your 
office, and if so, how so?
    Mr. Gibson. Sir, I think under the IG Act, the idea of a 
Senate-confirmed IG is to create a position with significant 
independence within the agency and the ability to handle things 
in a totally independent manner. I mean, all I can say is, 
we've done our best to preserve our independence through this 
period of time, and I believe we have.
    Mr. Hultgren. I appreciate that.
    The Committee has learned that the Agency has access to 
your Office of Inspector General emails in some cases as well 
as emails between your office and the informants you may have 
within the agency. Does this raise concerns for you? What, if 
anything, is the agency doing to remedy the comingling of 
emails?
    Mr. Gibson. So it raised significant concerns for us when 
the subject was brought to our attention. Now, it's not all 
email. There are pockets of email that appear to have been 
exposed to a program that enables it to be searched. In fact, 
it was discovered in the FDIC's search of its email vault in 
response to this Committee's request for information. They are 
emails that involve certain members of our staff that involve 
certain periods of time. We've been working closely with the 
Division of Information Technology at the FDIC to identify the 
emails that are there, to segregate them, to prevent them from 
being found through the course of the use of that. We're 
looking at logs to determine who's looked at those emails. 
We're conducting a good deal of independent work to provide 
ourselves with as much assurance as we can about the security 
of that stuff. I'd be happy to describe that in more detail. I 
don't want to take all of your time.
    Mr. Hultgren. No, I'd like to hear more about it. I mean, 
this is really the focus of my question. So I mean, if--and 
really, what we can do. I'm concerned about this. Again, I 
think is an important service tool, something that we need, and 
so I'm concerned of some of the--what I see as negative impact 
that could come from this, so I'd love to hear from you 
suggestions of what we can do, what you're doing to make sure 
that your work is protected and the integrity is strong.
    Mr. Gibson. One of the things that we are doing is we're 
bringing in an independent group to advise us, you know, and to 
provide us with independent assurance that the steps that have 
been taken to mitigate this issue are correct, that the search 
logic and the search efforts that we have undertaken to be sure 
that we know exactly the scope of all of the problems that we 
have have been fully identified and again remediated.
    I think that on a longer-term basis, what this leads us to 
is questioning where our IT environment should be located. We 
want to take our time in answering that question because 
obviously there are large implications for our office both from 
a staffing standpoint and a financial standpoint, if nothing 
else but balancing that against the need for at least the 
outward aspects of independence that are implicated when the 
suggestion can be made that somebody's taking a look at email. 
There's a lot of issues for us to balance in this, and we're 
trying to do it quickly, but we want to be sure we do it in a 
very thoughtful manner.
    Mr. Hultgren. I appreciate that. We certainly want that, 
but we also want to hear from you as you are coming to 
conclusions of how do we do this well, how do we make sure that 
we're assisting in this again to make sure that as best as we 
can the information we're getting from your office we know 
isn't affected, compromised, being seen before we have a chance 
to----
    Mr. Gibson. Absolutely, sir, and we completely understand 
and agree with that, and I'll be more than happy to provide you 
or staff with whatever information we can as we move through 
this process just to keep you updated on the things that we're 
doing and what we think that we need to do.
    Mr. Hultgren. Great. Thank you.
    With that, I yield back, Chairman. Thank you.
    Mr. Loudermilk. I thank the gentleman.
    Mr. Gibson, thank you for that. I think that shows 
foresight and planning and being proactive, not just reactive 
to these types of steps, and I think that's the type of thing 
that we would be looking for.
    With that, I recognize the gentleman from California, Mr. 
Rohrabacher, for five minutes.
    Mr. Rohrabacher. Thank you very much, Mr. Chairman, and let 
me apologize. Earlier on in the hearing, I was at a markup, and 
quite often we have two or three responsibilities happening at 
the same time, so maybe I'll try to go to more of a--rather 
than go into details, I could get some analysis view of the 
actual basis, the fundamental issues of what we're talking 
about.
    We're discussing computers that were hacked by the Chinese 
or other entities between 2010 and 2013 of the Federal Deposit 
Insurance Corporation. What harm could come of the fact that 
you have other entities and the Chinese hacking into your 
computer system? What harm would that cause?
    Mr. Gibson. Sir, is that question directed----
    Mr. Rohrabacher. Whoever.
    Mr. Gibson. It can cause significant harm obviously. I 
mean, there's a significant volume of information that's 
available in the FDIC's IT environment, a great deal of 
sensitive information, whether it's privacy-related information 
or information related to----
    Mr. Rohrabacher. Maybe you can give me an example of 
something harmful that could come from that.
    Mr. Gibson. Well, for example, there are large volumes of 
information about specific financial institutions. Let's take 
just the Dodd-Frank resolution plans. There are non-public 
segments of those documents. That information could be 
extremely valuable to an adversary, and it may be something 
that could be targeted by someone.
    Mr. Rohrabacher. So if we have Chinese hacking into our 
system, what you're saying is that because they were--this was 
happening, perhaps American businesses that are doing business 
here and in China who are facing competitors or facing 
adversaries, economic adversaries, that the American companies 
because we are complying with the information required of us by 
the Federal Government could be put in economic jeopardy?
    Mr. Gibson. Sir, in theory, there's risk there, yes.
    Mr. Rohrabacher. All right. So this really could add up to 
very great harm done to Americans financially, both American 
companies, perhaps some individuals as well who have invested 
in those companies.
    Now, we're being told that of course now that the FDIC was 
less than forthcoming about this. Now, I seem to remember those 
days. We were told over and over and over again about the 
importance of not getting--of being hacked into and 
cybersecurity was something we talked a lot about, but yet we 
now are, from what I've heard even now and read so far about 
the hearing is the FDIC was less than forthcoming to Congress 
about what was going on, and in fact, we were not informed and 
intentionally uninformed of this.
    So let me just note for the record, Mr. Chairman, that this 
attitude that we're talking about that pervaded, that actually 
made people make their decisions based on an attitude that 
prevailed at the FDIC is, number one, of course something that 
is unacceptable, but I see that as part of a trend in this 
Administration.
    Listen, I worked in the Reagan White House and it was very, 
very clear that what happens at the very highest level of an 
administration creates the attitude and the standards that go 
right on down to the departments and agencies. So let me just 
suggest, and what I've heard so far, and what this indicates is 
that there's been a pattern of obfuscation in this 
Administration, not only on this issue but others. There's been 
a pattern of stonewalling and covering up mistakes and 
wrongdoing, and these things cannot be just shrugged off. These 
are things that have to be taken seriously, especially when as 
we are noting now that there is actual damage to the American 
people where actually some people we could have billions of 
dollars' worth of financial harm done by information that's 
supposed to be secret information, confidential information, 
but is now being ignored when our economic enemies actually get 
their hands on the information.
    I would suggest that we have here is not a culture of 
secrecy at your department but instead a disrespect for 
Congress's right of oversight, a disrespect for the rights of 
the American people to actually get the information during 
Congressional hearings, and so what we've had is from the 
beginning a cover-up and obfuscation of that cover-up of not 
necessarily wrongdoing but covering up the fact that somebody 
wasn't maybe able to do their job. You can't expect things to 
be corrected if it's done even with a good motive, but if you 
have some evil motives going on, that will never be uncovered 
unless we have better cooperation between the executive branch 
and the legislative branch, especially in oversight 
responsibilities.
    So thank you very much, Mr. Chairman, for your oversight 
responsibilities.
    Mr. Loudermilk. I thank the gentleman from California, and 
I think it's imperative for us to understand that, you know, 
the American people rely upon this government for their safety 
and security, from homeland security to even the safety and 
security of their financial assets through the FDIC. The 
frustration with the American people is that because of 
multiple incidences, they rely on the government but their 
trust in the government is at an all-time low, and it's because 
of situations such that Mr. Rohrabacher has spoken about and 
what we're investigating here.
    With that, the Chair recognizes the gentleman from 
Arkansas, Mr. Westerman, for five minutes.
    Mr. Westerman. Thank you, Mr. Chairman. I'd also like to 
extend my appreciation to Mr. Gibson for their work. If I could 
ask the Committee staff to put a slide up? Okay. Thank you.
    [Slide]
    I just want to read from the transcript. This is an except, 
some questions and answers. The first question was, ``Were 
those updates being provided to anyone in the Chairman's office 
or the Chairman himself'' and the answer was ``Let's see. At 
the time it was Roddy, Brian, myself, Martin, Chris, and Russ 
Pittman. The COO was later added.'' The question is, ``Is that 
Barbara Ryan?'' and the answer was, ``On December 1st.'' 
Question: ``Barbara Ryan is the COO and chief of staff to the 
chairman. Is that correct?'' The answer is ``Yes.'' The next 
question: ``Does she act as the chairman's eyes and ears in 
meetings like this?'' and the answer was, ``My understanding--I 
don't have direct knowledge of that but yes.''
    So Mr. Gruenberg, did you attend meetings regarding the 
cybersecurity incidents including the Florida incident to 
discuss the agency's response to the breaches?
    Mr. Gruenberg. I believe, Congressman, I was briefed on 
November 19th by the CIO in regard to the Florida incident, and 
I think that was the only briefing I actually had on it.
    Mr. Westerman. So you actually didn't attend----
    Mr. Gruenberg. No, sir.
    Mr. Westerman. Okay. So when you were not present, did your 
chief of staff, Barbara Ryan, attend?
    Mr. Gruenberg. As indicated in the--I believe so, yes.
    Mr. Westerman. And how often did Barbara Ryan brief you on 
the status of the breaches?
    Mr. Gruenberg. She really didn't brief me, as it were. 
There may have been occasions where she gave me a heads up but 
not--it wasn't really her role to do the briefings.
    Mr. Westerman. Even though the transcript says she was your 
eyes and ears?
    Mr. Gruenberg. Well----
    Mr. Westerman. Maybe she really wasn't your eyes and ears?
    Mr. Gruenberg. I don't know how to characterize that but in 
terms of an actual briefing on these matters, she wouldn't have 
been the one to do it.
    Mr. Westerman. Okay. So the Committee understands that 
based on the Inspector General's report that the FDIC failed to 
notify Fin-Syn that Bank Secrecy Act information was involved 
in the Florida breach until prompted to do so by the Inspector 
General. Why did the FDIC not notify Fin-Syn of the breach?
    Mr. Gruenberg. I think we should have. I think we failed to 
do so in that instance, Congressman.
    Mr. Westerman. And the Committee now understands that the 
FDIC has in fact notified Fin-Syn yet you approved the 
notification to Fin-Syn. Why do you have elevated concern when 
it comes to notifying another agency within the executive 
branch of a breach yet opted not to report the Florida incident 
to Congress until prompted by the Inspector General?
    Mr. Gruenberg. I think as we discussed earlier, it was a 
matter of assessing the incident, and I think what occurred 
was, there was an assessment that while the incident was a 
breach, the initial assessment was that it didn't rise to a 
level of a major incident. When the IG reviewed it and reached 
a different conclusion and notified us in February, we then 
adopted the IG's approach to the incident and then reported it 
as a major incident.
    Mr. Westerman. So it took the IG's notification to raise 
the level of concern enough to actually make the notification?
    Mr. Gruenberg. I think the IG indicated that the approach 
the agency was taking to assessing the incident was incorrect, 
and we were using--considering factors relating to risk of harm 
that weren't appropriate, that weren't really incorporated in 
the guidance. When that was made clear, we then adopted the 
IG's approach to applying the guidance and then reported it as 
a major incident.
    Mr. Westerman. Would you say that's an abnormal occurrence 
or is that--or have things like that happened before where it 
takes notification from the IG to move forward?
    Mr. Gruenberg. I don't know that I can generalize. I think 
this was an instance in which a breach occurred, new guidance 
was issued by OMB, so we were attempting to evaluate and apply 
the guidance to the breach. I think we frankly didn't get it 
right, and when the IG made us aware of that, we then complied.
    Mr. Westerman. So for each of the Agencies' notifications 
both to Congress and Fin-Syn regarding the Florida breach, why 
did the Inspector General have to prompt your agency to report 
you instead of your staff opting to report the incident to 
proper entities in real time as it learned of the breach? Are 
you saying that your staff just didn't understand the 
seriousness of the breach or the level of the breach?
    Mr. Gruenberg. I think the assessment was that the incident 
was a breach. I think the initial assessment was that it didn't 
rise to the level of a major incident, and as I indicated, when 
the IG provided us analysis to the contrary, we then adopted 
the IG's approach.
    Mr. Westerman. So have there been corrective actions taken 
so that the staff is trained better or----
    Mr. Gruenberg. Yes, that's one of the recommendations of 
the IG that we have concurred with and are following through 
on.
    Mr. Westerman. What kind of steps are you taking to make 
sure this doesn't happen again?
    Mr. Gruenberg. In addition to as a threshold adopting the 
application of the guidance consistent with the IG's approach, 
we're incorporating it in policies and procedures to ensure 
that any incidents like this are reported in a timely way going 
forward.
    Mr. Westerman. And what would you say your confidence level 
is that if something like this were to happen again that it 
would be reported without the IG having to get involved?
    Mr. Gruenberg. I think at this point I have a pretty high 
confidence level.
    Mr. Westerman. Okay. That's all the questions I have, Mr. 
Chairman. I yield back.
    Mr. Loudermilk. I thank the gentleman from Arkansas, and 
we'll begin our second round of questioning, and I recognize 
myself for five minutes.
    Mr. Gruenberg, your CIO, Larry Gross, as you know, 
testified before my Subcommittee, the Oversight Subcommittee, 
back in May of this year. At that hearing, Mr. Gross provided 
this Committee with false and misleading testimony in multiple 
incidents about the cybersecurity breaches reported to 
Congress. For example, I asked Mr. Gross about the Florida 
cyber breach where an FDIC employee leaving the agency 
knowingly downloaded over 71,000 counts of personally 
identifiable information and sensitive bank information onto an 
external hard drive. She then denied owning the external hard 
drive, claimed she did not download the information, and 
refused to cooperate with FDIC officials and OIG officials 
trying to recover the hard drive.
    Ultimately, three months after she took the information, 
the breacher hired an attorney to negotiate with the FDIC over 
the return of the hard drive with the information on it. Mr. 
Gross told the Committee that in his opinion, the breacher was 
``telling the truth,'' and Mr. Gross said, ``I don't believe 
she realized she took FDIC-specific data.''
    We now know that this was not true, and Mr. Gross knew at 
the time that this was not true. Mr. Gross also claimed in the 
hearing that ``the individuals involved in these instances were 
not computer proficient,'' which we also know to be false. In 
fact, the Florida incident breacher held two master's degrees 
in information technology, which I think any reasonable person 
would consider that to be proficient in computer technology.
    This Committee wrote to you a letter on May 19, 2016, 
articulating these misleading statements and more that Mr. 
Gross made at that hearing. Mr. Gibson, can you corroborate of 
those statements that were made in the May hearing by Mr. Gross 
and their inconsistencies?
    Mr. Gibson. Sir, I believe you've described accurately what 
was said during the hearing, you know, as well as the facts 
that surround the statements themselves.
    Mr. Loudermilk. Thank you for that.
    Mr. Gruenberg, your response to our letter did not address 
any of these inconsistencies. With that, Mr. Gruenberg, do you 
condone Mr. Gross, your CIO, lying to Congress?
    Mr. Gruenberg. Congressman, I can share with you my 
perspective on it for----
    Mr. Loudermilk. Please do.
    Mr. Gruenberg. As I indicated earlier, I think Mr. Gross 
was assessing the facts of the situation relating both to the 
inadvertence of the employee taking the information as well as 
the issue of her proficiency. It's my understanding and belief 
that the conclusions he reached were sincerely reached.
    Mr. Loudermilk. But Mr. Gibson was here at that testimony 
and just corroborated that Congress was misled and that the 
information that Mr. Gross provided this Committee was 
inconsistent. Do you--so you do not believe that he 
misrepresented the information or misled the Committee through 
his testimony in May?
    Mr. Gruenberg. That was not my perception of it. I was not 
aware that was the IG's perception.
    Mr. Loudermilk. Mr. Gibson?
    Mr. Gibson. Sir, what I can say is, I can say that the 
statements were not--we don't believe the statements were 
correct. We don't believe they were accurate. Now, we haven't 
looked at his intent in doing that so I can't answer that. But 
as far as the accuracy of the statements themselves goes, I 
don't believe the statements were accurate.
    Mr. Loudermilk. And that's what I was getting at. The 
statements were not accurate. All indications are that he knew 
different than what he was making a statement to Congress, and 
to me, trying--I mean, legally when you try to build a false 
perception, is misleading, which is a form of lying, but you do 
not believe that that was what Mr. Gross was doing, even with 
all the evidence that's being presented here and in the letter 
that was provided to you, which you failed to respond to.
    Mr. Gruenberg. I think the issue is intentionality, and I 
think if I understand it correctly, the IG's view is that Mr. 
Gross didn't get it right.
    Mr. Loudermilk. But the issue is what he said, not his 
intention. I don't know if he intended to lie to Congress but 
what he said was not true, and he knew that it wasn't.
    Mr. Gruenberg. Well, I believe--for what it's worth--I 
believe Mr. Gross thought he was--he was giving you his honest 
view of the matters. He may have gotten the--he may have gotten 
it wrong. I don't take----
    Mr. Loudermilk. So you say that Mr. Gross as the CIO does 
not consider someone who has two master's degrees in 
information technology to be computer proficient?
    Mr. Gruenberg. I don't know that he was aware of that at 
the time, Congressman.
    Mr. Loudermilk. But then he would make a statement saying 
that she wasn't computer proficient without having any--it 
sounds like he's trying to cover something.
    Mr. Gruenberg. I can't--again, I can't speak to his 
intentionality. I think he believed the woman lacked 
proficiency.
    Mr. Loudermilk. And I pressed him on this because he was 
very consistent in saying he did not believe this was 
intentionally done. He believed that all instances were not 
intentional. But yet there were already facts that we found out 
at the time that were well known. She had hired an attorney. 
She--I mean, it was obvious that it was intentional, and we 
found more evidence since then, but yet he consistently said he 
believed it was unintentional. I just don't see how you get 
around that he misled Congress.
    Mr. Gruenberg. Well, it's hard for me to speak to what was 
in Mr. Gross's mind. It was my belief and perception that he 
was giving you his sincere testimony. It may have been 
incorrect in terms of evaluating the information. I think he 
would suggest that there was information on both sides and he 
reached a conclusion in good faith. I think that's what Mr. 
Gross would indicate.
    Mr. Loudermilk. Mr. Gibson, in your opinion, in your 
investigation, was this breach intentional, the Florida?
    Mr. Gibson. Well, sir, it was described as inadvertent, and 
I certainly don't see it as inadvertent. You know, I would--the 
material was downloaded deliberately. The material was 
downloaded intentionally. There were file structures that were 
created in order to accommodate it independently. I mean, I'm 
really not sure how you could--a reasonable person would have 
to conclude that it was intentional.
    Mr. Loudermilk. So my understanding was, as this was being 
downloaded, the lady--the employee created--specifically 
created folders that read personal and FDIC information, 
created those folders, which would give an intent that they 
were intending to download--that's what----
    Mr. Gibson. That's would a reasonable--I think a reasonable 
person could conclude that, yes.
    Mr. Loudermilk. Mr. Gruenberg, I understand defending an 
employee, but if I was in your position, I would be gravely 
concerned with the testimony that Mr. Gross gave here in light 
of the advice that he's giving you may not be consistent as 
well. Do you have any intention of disciplining Mr. Gross for 
his testimony to Congress?
    Mr. Gruenberg. I think, Congressman, in light of the issues 
you raised, we will review this situation.
    Mr. Loudermilk. Well, I appreciate that.
    With that, I recognize my good friend, the gentleman from 
Virginia, Mr. Beyer, for five minutes.
    Mr. Beyer. Thank you, Mr. Chairman, very much.
    Mr. Gruenberg, I built a Land Rover-Range Rover dealership 
across the river, and seven, eight years ago, one of my Land 
Rover technicians stole all of our customer records, and he 
went out and opened his own business, and he had a running 
start because he was able to market to all of them. I could 
never prove it in a court of law so I just got to be angry 
about it. But it did make us go back and think about all of our 
password protections and changing it every 30 days and the 
like. What was going on in the culture at FDIC that would lead 
employees to download records and take them home? They're 
clearly not going to start a competing FDIC.
    Mr. Gruenberg. I can't, you know--we had a number of these 
incidents that were similar in their fact pattern where 
employees were leaving the agency, they had utilized removable 
media, downloading personal information and downloading in 
addition sensitive information from the agency. I don't know if 
there was any connecting pattern there. I don't know that I can 
speak to that. It did--it does speak obviously to an underlying 
technological vulnerability we had relating to permitting 
employees to use their removable media, and that's at least 
what we've tried to address.
    Mr. Beyer. Thank you. There was a slide up earlier about 
the transcribed interview with another FDIC employee. It talked 
about directions from Roberta McInerney about not creating an 
email record. I understand the Majority staff had set up an 
interview with Ms. McInerney and then had to cancel it. Are you 
aware of any ongoing efforts that will be made to actually 
interview Ms. McInerney and try to get to the bottom of why she 
did this?
    Mr. Gruenberg. It's my understanding that the interview was 
postponed. I can't speak to whether it'll be rescheduled or 
not.
    Mr. Beyer. Any sense of the consequences from the top for 
Ms. McInerney for giving these directions?
    Mr. Gruenberg. I think we'll have to review the 
circumstances here.
    Mr. Beyer. Okay. Certainly, from a good government, 
transparent government perspective, if true, it's pretty 
terrible stuff.
    The OIG and some in the CIO's own office disagreed with the 
CIO's initial determination that the Florida incident wasn't a 
quote, unquote, major incident, but then after the February 19 
OIG memo recommending the breach be determined major and 
immediately reported to Congress, you did that within 7 days. 
In fact, the CIO had said that the FDIC agreed to abide by the 
OIG's interpretation of a major incident as defined in OMB memo 
1603.
    However, one of the recent major incidents, the one on 
March 26, 2016, wasn't reported to Congress for 5 weeks until 
May 9, 2016, which is well after the 7-day reporting 
requirement, well after you'd agreed that the OMB memo made 
sense. Can you explain the delay in Congressional notification, 
and do we have your assurance that data breaches determined to 
be major will be reported within the 7-day time period?
    Mr. Gruenberg. Yes, you certainly do, Congressman.
    Mr. Beyer. Any idea how to explain the 5-week breach from 
March 26 to May 9? Because this is significantly later than the 
October incident last year.
    Mr. Gruenberg. I think--I have to go back and check for 
sure. We were also checking the record for the breaches going 
back to October 30, whether other breaches had occurred, and we 
were identifying additional breaches, and I think the thought 
was to aggregate them and bring them together and report them 
at one time to Congress so they'd have the benefit of all of 
them. In retrospect, we probably should have just gone ahead 
with the 7-day.
    Mr. Beyer. Because it's easier to explain the October one 
where it was initially identified as not major than to explain 
and to justify the later ones.
    Mr. Chair, I yield back.
    Mr. Loudermilk. I thank the gentleman from Virginia, and 
the Chair recognizes the gentleman from Louisiana, Mr. Abraham, 
for five minutes.
    Mr. Abraham. Thank you, Mr. Chairman.
    Mr. Gruenberg, I think in this hearing and the other 
hearings that I've attended in Congress, if I had a dollar for 
every time I heard the phrase ``I'll review and get back to 
you,'' I could significantly pay down the national debt.
    I've got a letter that I'll ask to submit for the record, 
Mr. Chairman, that Mr. Gruenberg wrote to you and Chairman 
Smith May 25, 2016.
    Mr. Loudermilk. Without objection, so ordered.
    [The information appears in Appendix II]
    Mr. Abraham. Mr. Gruenberg, in this letter, you wrote that 
Chairman it was discussing the major incidences that you have 
not reported to Congress. In your letter, you wrote, and I 
quote, ``In each instance, the information was recovered and 
there was no evidence of further dissemination or disclosure.'' 
Do you stand by that statement in the letter?
    Mr. Gruenberg. Yeah, I believe we have no evidence of 
further dissemination, yes, sir.
    Mr. Abraham. Well, I may disagree a little bit. Isn't it 
true that at least one of the cases you were only able to 
recover a copy of the USB that was taken off premise?
    Mr. Gruenberg. Yes, in one case the original----
    Mr. Abraham. You didn't get the original back?
    Mr. Gruenberg. Correct. It had been destroyed.
    Mr. Abraham. So really, you didn't recover all the 
evidence?
    Mr. Gruenberg. Oh, we recovered--there was a copy made and 
we did----
    Mr. Abraham. But we still got something out there possibly?
    Mr. Gruenberg. We do. That's--you know, that's why you 
can't say with certainty that there was no dissemination. We 
just haven't identified any.
    Mr. Abraham. Mr. Gibson, what's your take on this?
    Mr. Gibson. Well, sir, in--I have to think through the 
incidents themselves. In at least----
    Mr. Abraham. Well, let's just take this one case.
    Mr. Gibson. In that one case, you know, the individual took 
the USB drive when they left the agency. They copied the data 
off of it at some point in time, destroyed the original USB 
drive----
    Mr. Abraham. Do we know that it was destroyed?
    Mr. Gibson. No, we don't. There's no assurance----
    Mr. Abraham. That's a major concern to me. I mean, I can 
tell you one thing, but doing something is a whole different--
--
    Mr. Gibson. Yeah. No, it was done in a manner where there 
really isn't any assurance of what happened to it. I mean, 
there was no receipt for it. It was given to a third party to 
destroy. There was no receipt. There's no record at the company 
of the destruction. There's no way for us to verify 
independently that it was done.
    Mr. Abraham. And clarify for me, has it now been stopped, a 
development of a program that would detect these insider 
threats? Is that where we're at now that we are not developing 
a program? Where does that stand?
    Mr. Gruenberg. That's one of the recommendations of the 
IG's report, and we've concurred with it and are in the--we 
have been developing the program and we anticipate bringing it 
to a conclusion and implementation by the end of this year, I 
believe, Congressman.
    Mr. Abraham. I mean, it just--it's beyond the pale that we 
wouldn't want to detect an insider threat.
    Mr. Gruenberg. Right. No, no it's----
    Mr. Abraham. Certainly after Mr. Snowden's major episode.
    I yield back, Mr. Chairman. Thank you, sir.
    Mr. Loudermilk. I thank the gentleman, and also I would 
like to thank the Office of the Inspector General for the two 
reports recently issued on this, the FDIC's control for 
mitigating the risk of unauthorized release of sensitive 
resolution plans and also the FDIC's process for identifying 
and reporting major information security incidents. We thank 
you for your work on that, and without objection, I would like 
to submit these for the record.
    Without objection, so ordered.
    [The information appears in Appendix II]
    Mr. Loudermilk. I also look forward to Mr. Gruenberg 
responding to the numerous questions and requests in a timely 
manner to the Committee because this is an ongoing 
investigation and we'll continue to investigate and research 
the facts in this matter in the coming weeks and months, and I 
thank both witnesses, Mr. Gibson and Mr. Gruenberg, for being 
with us today. I thank our Members of the Committee for their 
very important questions.
    And just a reminder that the record will remain open for 
two weeks for additional comments and written questions from 
Members.
    Mr. Loudermilk. And with that, this meeting is adjourned.
    [Whereupon, at 12:17 p.m., the Committee was adjourned.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                              Appendix II

                              ----------                              


                   Additional Material for the Record


[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]