Exclusive: SEC forensics unit sought resources, cyber
training ahead of 2016 hack
Send a link to a friend
 [October 04, 2017]
By Sarah N. Lynch
WASHINGTON (Reuters) - In August 2016, just
two months before the U.S. Securities and Exchange Commission discovered
its corporate filing system had been hacked, the SEC's internal
watchdog, Carl Hoecker, received a plea for help from his new forensics
investigative unit.
In a three-page memo that was shared with U.S. Congressional staff and
seen by Reuters, the head of the forensics unit complained of "serious
deficiencies" in equipment, inadequate cyber defense training, and a
lack of communication with the SEC's Office of Information Technology (OIT).
The forensics unit's staff were told to use equipment due for disposal
when they asked for supplies and ended up repurposing computer hard
drives instead. Their hardware budget for the fiscal 2017 year at
$100,000 was about half a million dollars short of what was needed, the
memo said.
"Even though the (Digital Forensics and Investigations Unit) has been in
existence for over one year, there is no strategic vision and no clear
objectives," it read.
The concerns in the memo, however, were never addressed, according to
sources familiar with the matter, and the Office of the Inspector
General (OIG), run by Hoecker, was not notified of the October 2016
breach of the SEC's corporate filing system known as EGDAR until many
months later.
In August 2017, nearly a year after the hack, the inspector general's
office was asked to review the incident after SEC Chairman Jay Clayton
learned about it, according to sources.
Clayton will face questions about the security breach when he testifies
before the U.S. House Financial Services Committee on Wednesday.
He has asked the inspector general's office to launch a review into the
intrusion. What role, if any, that the digital forensics unit will play
in that review remains unclear.
Raphael Kozolchyk, a spokesman for the Office of the Inspector General,
did not respond to more than half a dozen requests from Reuters for
comment. Hoecker did not respond to an email seeking comment.
Christopher Carofine, a spokesman for the SEC, declined to comment.
The SEC has been criticized for the length of time it took to disclose
the hack and the delay in uncovering its extent. Its cyber defenses and
practices have been questioned in the past, including by auditors inside
Hoecker's office.
Hoecker created the forensics unit in 2015. Besides assisting with
computer forensics on internal criminal and civil probes, the office was
also charged with helping to identify "threats to the SEC's sensitive
information systems" and to provide "cyber security capability," he told
Congress in two public reports in 2015 and 2016.
The 2016 memo, however, raises questions about the inspector general's
handling of its own forensics unit and whether it could have been in a
better position to respond to and investigate the problem when it was
first detected in October 2016.
"With the recent breach, the SEC and the SEC OIG need to make sure they
didn't overlook any warnings or calls for improvements that might have
prevented a breach," Republican Senator Charles Grassley of Iowa told
Reuters in a statement.
[to top of second column] |
The seal of the U.S. Securities and Exchange Commission hangs on the
wall at SEC headquarters in Washington, DC, U.S. on June 24, 2011.
REUTERS/Jonathan Ernst/File Photo
"An agency that protects the integrity of public securities has to be up to
speed on threats and how to prevent them."
ENFORCEMENT MUSCLE
The SEC's Inspector General's Office is an independent internal watchdog that is
tasked with policing waste, fraud and abuse and is staffed with investigators
and auditors.
While the inspector generals at some of the larger government agencies are
nominated by the President, the SEC's inspector general is hired by and answers
to the agency's commissioners.
Under Hoecker, the SEC's Inspector General's Office has undergone a major
restructuring.
Prior to his arrival in 2013, the office's investigative staff did not have any
criminal law enforcement powers and focused primarily on administrative probes
involving SEC employees.
But Hoecker decided to take advantage of a provision in federal law that allows
inspector generals' offices to have law enforcement powers. He hired special
agents who can carry firearms, conduct criminal investigations, make arrests and
execute search warrants.
The Digital Forensics and Investigations Unit was part of Hoecker's plan to have
more enforcement muscle so that his office could conduct criminal investigations
into hacking and provide forensic support on investigations.
As part of that vision, the forensics unit proposed conducting a full review of
the SEC's computer network, and wanted to develop a reporting system with the
Office of Information Technology to help keep track of all cyber incidents,
according to government documents shared with congressional staff.
Despite that proposal, the inspector general's office has not received real-time
notifications of cyber incidents, according to sources, a public 2017 audit of
the SEC's information security program, and internal government documents seen
by Reuters.
"It is not uncommon to have a big push to do a cyber security initiative and
then have the organization be uncomfortable with the nature and type of
initiative people are starting," said Beau Woods, a cyber security expert with
the Atlantic Council.
"It sounds like there is either a communications gap, or a leadership gap, or
both, where the right information is not getting to the right people."
The inspector general's investigators have done few, if any, probes related to
cyber intrusions and most of their investigations, ranging from time and
attendance fraud by SEC staffers to ethics violations, have not led to criminal
charges despite the efforts to step up the office's enforcement powers.
From January 2013 through April 2017, of the 71 cases referred for criminal
prosecution to U.S. Attorneys offices, a total of 50, or about 71 percent, were
declined, according to statistics obtained by Reuters through a Freedom of
Information Act request.
(Reporting by Sarah N. Lynch; editing by Carmel Crimmins)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
