Exclusive: Fed records show dozens of
cybersecurity breaches
Send a link to a friend
[June 01, 2016]
By Jason Lange and Dustin Volz
WASHINGTON (Reuters) - The U.S. Federal
Reserve detected more than 50 cyber breaches between 2011 and 2015, with
several incidents described internally as "espionage," according to Fed
records.
The central bank's staff suspected hackers or spies in many of the
incidents, the records show. The Fed's computer systems play a
critical role in global banking and hold confidential information on
discussions about monetary policy that drives financial markets.
The cybersecurity reports, obtained by Reuters through a Freedom of
Information Act request, were heavily redacted by Fed officials to
keep secret the central bank's security procedures.
The Fed declined to comment, and the redacted records do not say who
hacked the bank's systems or whether they accessed sensitive
information or stole money.
"Hacking is a major threat to the stability of the financial system.
This data shows why," said James Lewis, a cybersecurity expert at
the Center for Strategic and International Studies, a Washington
think tank. Lewis reviewed the files at the request of Reuters.
For a graphic on the Fed security breaches, see:
http://tmsnrt.rs/1TxSu8R
The records represent only a slice of all cyber attacks on the Fed
because they include only cases involving the Washington-based Board
of Governors, a federal agency that is subject to public records
laws. Reuters did not have access to reports by local cybersecurity
teams at the central bank's 12 privately owned regional branches.
The disclosure of breaches at the Fed comes at a time when
cybersecurity at central banks worldwide is under scrutiny after
hackers stole $81 million from a Bank Bangladesh account at the New
York Fed.
Cyber thieves have targeted large financial institutions around the
world, including America's largest bank JPMorgan, as well as smaller
players like Ecuador's Banco del Austro and Vietnam's Tien Phong
Bank.
Hacking attempts were cited in 140 of the 310 reports provided by
the Fed's board. In some reports, the incidents were not classified
in any way.
In eight information breaches between 2011 and 2013 - a time when
the Fed's trading desk was buying massive amounts of bonds - Fed
staff wrote that the cases involved "malicious code," referring to
software used by hackers.
Four hacking incidents in 2012 were considered acts of "espionage,"
according to the records. Information was disclosed in at least two
of those incidents, according to the records. In the other two
incidents, the records did not indicate whether there was a breach.
In all, the Fed's national team of cybersecurity experts, which
operates mostly out of New Jersey, identified 51 cases of
"information disclosure" involving the Fed's board. Separate reports
showed a local team at the board registered four such incidents.
The cases of information disclosure can refer to a range of ways
unauthorized people see Fed information, from hacking attacks to Fed
emails sent to the wrong recipients, according to two former Fed
cybersecurity staffers who spoke on condition of anonymity.
The former employees said that cyber attacks on the Fed are about as
common as at other large financial institutions.
It was unclear if the espionage incidents involved foreign
governments, as has been suspected in some hacks of federal
agencies. Beginning in 2014, for instance, hackers stole more than
21 million background check records from the federal Office of
Personnel Management, and U.S. officials attributed the breach to
the Chinese government, an accusation denied by Beijing.
TARGET FOR SPYING
Security analysts said foreign governments could stand to gain from
inside Fed information. China and Russia, for instance, are major
players in the $13.8 trillion federal debt market where Fed policy
plays a big role in setting interest rates.
"Obviously that makes it a very clear (hacking) target for other
nation states," said Ari Schwartz, a former top cybersecurity
adviser at the White House who is now with the law firm Venable.
[to top of second column] |
The Federal Reserve headquarters in Washington September 16 2015.
REUTERS/Kevin Lamarque
U.S. prosecutors in March accused hackers associated with Iran's
government of attacking dozens of U.S. banks.
In the records obtained by Reuters, espionage might also refer to
spying by private companies, or even individuals such British
activist Lauri Love, who is accused of infiltrating a server at a
regional Fed branch in October 2012. Love stole names, e-mail
addresses, and phone numbers of Fed computer system users, according
to a federal indictment.
The redacted reports obtained by Reuters do not mention Love or any
other hacker by name.
The records point to breaches during a sensitive period for the Fed,
which was ramping up aid for the struggling U.S. economy by buying
massive quantities of U.S. government debt and mortgage-backed
securities.
In 2010 and 2011, the Fed went on a $600 billion bond-buying spree
that lowered interest rates and made bonds more expensive. It
restarted purchases in September 2012 and expanded them up in
December of that year.
The Fed cybersecurity records did not indicate whether hackers
accessed sensitive information on the timing or amounts of bond
purchases or used it for financial gain.
UP ALL NIGHT
The Fed's national cybersecurity team - the National Incident
Response Team, or NIRT - created 263 of the incident reports
obtained by Reuters.
NIRT operates in a fortress-like building in East Rutherford, New
Jersey that also processes millions of dollars in cash everyday as
part of the central bank's duty to keep the financial system
running, according to the New York Fed's website. The unit provides
support to the local cybersecurity teams at the Fed's Board and
regional banks, which process more than $3 trillion in payments
every day.
The NIRT handles "higher impact" cases, according to a 2013 report
by the Board of Governor's Office of Inspector General.
One of the two former NIRT employees interviewed by Reuters
described being on a team that once worked around the clock for
five-straight days to patch software hackers had used to gain access
to Fed systems in an attempt to obtain passwords. The former
employee worked through several of those nights, taking naps at a
desk in the office.
In that case, Fed security staff found no signs that sensitive
information had been disclosed, the former employee said.
Information about future interest rate policy discussions is
isolated from other Fed networks and is more difficult for hackers
to access, the former NIRT worker said.
But the Fed was under constant assault, much like any large company,
the former employee said, and was "compromised frequently."
An internal watchdog has criticized the central bank for
cybersecurity shortcomings. A 2015 audit by the Fed board's Office
of Inspector General found the board was not adequately scanning
databases for vulnerabilities or putting enough restrictions on
system access.
"There is heightened risk of unauthorized disclosure and
inappropriate use of sensitive board information," according to the
audit released in November.
(Reporting by Jason Lange and Dustin Volz; Editing by David Chance
and Brian Thevenot)
[© 2016 Thomson Reuters. All rights
reserved.]
Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|