The House Committee on Science, Space and Technology is giving the FDIC chairman and CIO a chance to revise the latter’s testimony from a May 12 hearing investigating the corporation’s response to several major data breaches and failure to report the incidents to Congress.
During that hearing, FDIC CIO Larry Gross told lawmakers the seven breaches — all of which involved outgoing employees leaving the agency with tens of thousands of sensitive records, affecting a combined 160,000 individuals — were inadvertent, not malicious and, in his assessment, didn’t rise to the level of “major” breach.
Gross and FDIC officials ultimately agreed with the inspector general’s ruling that these incidents do deserve the “major” designation and retroactively reported all seven to Congress.
However, lawmakers were not satisfied and opened an investigation into the FDIC’s response policies, which included the May 12 public hearing. After that initial hearing, Committee members still aren’t satisfied with what they’re calling the FDIC’s “lackluster response to the Committee’s document requests” and Gross’ “false and misleading” testimony.
“Witnesses who purposely give false or misleading testimony during a congressional hearing may be subject to criminal liability,” Committee Chairman Lamar Smith, R-Texas, and Oversight Subcommittee Chairman Barry Loudermilk, R-Ga., wrote in a May 19 letter to FDIC Chairman Martin Gruenberg. “With that in mind, we write to request that Mr. Gross correct the record and to implore him to be truthful with the American public about matters related to FDIC cybersecurity breaches.”
The letter requests clarification on a number of points but two stand out: Whether a particular breach was truly caused by the employee’s lack of technical skill and discrepancies between the CIO and IG’s responses to the documents request.
Mastery of IT
While the May 12 hearing addressed seven separate incidents in which outgoing employees left with sensitive FDIC data, much of the questioning focused on a breach that has become known internally as “the Florida incident.”
According to an IG report obtained by Federal Times, the Florida incident involved an employee downloading tens of thousands of records from her FDIC computer onto a portable hard drive before leaving the corporation for a job in the private sector.
While the IG report that spurred the FDIC to report the incident to Congress stated that the incident met the 10,000-record threshold, sources tell Federal Times the total number was actually upwards of 35,000.
In his testimony, Gross told the Committee this incident was “inadvertent” and primarily the result of the employee’s lack of proficiency with technology.
While that might have been true in some of the breaches, the former employee at the center of the Florida incident holds a master’s degree in IT management. Further, the May 19 letter asserts that Gross would have known this person’s credentials.
“Mr. Gross’ claim that the employee in question was not computer proficient raises serious questions regarding whether his testimony was intentionally misleading,” the letter states. “Considering the employee holds a master’s degree in information technology, it is troubling that she told the agency that she did not own an external hard drive or even know what an external hard drive is. Serious questions are raised when an FDIC employee holding a master’s degree in technology denies even knowing about basic computer technology and Mr. Gross, the CIO, believes the story.”
CIO’s response to documents request
During the May 12 hearing, Loudermilk noted the discrepancy between the number of documents provided by the CIO’s office and the number provided by the IG.
When he showed Gross the two stacks of paper side-by-side, the CIO told the Committee much of the IG’s response was duplicative, citing multiple instances of the FDIC’s breach response policy.
In the May 19 letter, Loudermilk and Smith take issue with this assertion, stating the IG provided 883 “individually unique responsive documents,” compared with the CIO’s 88.
“It appears that Mr. Gross only wanted to provide the Committee with testimony that supported his narrative and was prepared to only discuss examples that were cherry picked from the OIG’s document production,” the letter states.
The lawmakers also criticized FDIC’s legal department for limiting the scope of the CIO’s response.
During the hearing, Gross told the Committee he was not aware of any documents that were not provided or any attempt to limit the response. The letter cites information obtained by the Committee that directly contradicts this statement.
“It appears that officials in FDIC’s legal department tasked with scoping the document request reached out to Mr. Gross’ office with their proposal to limit the universe of responsive documents,” according to the letter. “Mr. Gross apparently agreed with the legal department’s scoping of the request given that the documents received by the Committee were only a fraction of the universe of responsive documents.”
The letter contends that FDIC officials continue to withhold information from the Committee and urged them to provide all relevant documents.
The Committee asked the FDIC to respond to these issues and two other discrepancies in Gross’ testimony by May 25. An FDIC spokesperson told Federal Times the corporation received the letter and plans to respond to the Committee but declined to comment on the allegations therein.
The Committee also plans to hold additional hearings to hear about the IG’s review of the agency’s cybersecurity policies and incident response, an ongoing criminal investigation and receive comments directly from Chairman Gruenberg.