Congress: Federal bank agency CIO 'misled lawmakers and hid breaches'


Written by

The chief information officer of the Federal Deposit Insurance Corp. misled congressional overseers to cover up cybersecurity breaches at the agency, retaliated against whistleblowers and those who disagreed with him, and generally created a toxic work environment for his team, congressional staff allege in a report published Wednesday.

CIO Larry Gross ‘has created a work environment defined largely by vindictiveness and retaliation,’ reads the report, authored by Republican staffers working for the House Science, Space and Technology Committee, and based on a series of formal interviews with a handful of FDIC staff.

The report alleges Gross transferred or forced into early retirement two cyber experts who challenged his judgment, and accuses him of ‘retaliating against individuals within the CIO organization who have provided testimony to the committee the course of its investigation.’

Gross has ‘silenced or ignored those who disagree with his viewpoints,’ the report charges.

The report also says that, before Gross took over the CIO’s office in 2015, the agency was penetrated at least three times — in 2010, 2011 and 2013 — by suspected Chinese hackers and failed to report it either to Congress or the ‘appropriate authorities’ — likely the FBI.

The FDIC press office declined to comment for the record or to make Gross available for an interview.

The agency’s chairman will testify Thursday before the committee, and the report says he will be asked about discrepancies committee staff have found.

The committee’s investigation was prompted when, earlier this year, the FDIC reported two breaches last year involving the downloading to thumb drives of masses of sensitive personal and banking information by departing staff.

[Read more: Audit — Vulnerabilities, poor monitoring hurting FDIC’s security]

In both cases, the agency said in letters to Congress and reiterated in Gross’ May 12 testimony before the committee, the downloads were inadvertent; occurred — at least in part — because ‘the individuals involved … were not computer proficient’; and were resolved in a cooperative, amicable fashion.

This despite the fact, the report charges, that one of the departing employees possessed a master’s degree in IT management and hired a lawyer to negotiate the return of the thumb drive.

‘These facts poke holes in the agency’s narrative that this was an inadvertent breach,’ the report states, adding that there has been ‘a continued pattern of obstruction and reticence by the FDIC’ toward the committee’s investigation.

In total, the authors state, more than 160,000 individuals had their personal information compromised by these employee downloads, but the agency did not take steps to notify and provide credit monitoring for the victims until Gross was hauled over the coals by the committee on May 12.

[Read more: FedScoop’s coverage of the May 12 hearing on FDIC cybersecurity]

The seven whistleblowers interviewed by committee staff allegedly told them that FDIC officials ‘created a narrative for the committee in an effort to deter the committee from pursuing the issue of the agency’s cybersecurity breaches any further.’

The report concludes that the agency deliberately mischaracterized the ‘severity of the breaches and intentionally [withheld] information from Congress.’