SEC ignored warnings from forensic tech unit 2 months before breach
- The U.S. Securities and Exchange Commission revealed a congressional memo in which its forensics investigative unit asked for more resources after finding "serious deficiencies" in equipment, reports Reuters. The memo was submitted two months prior to its 2016 data breach, but requests were never resolved.
- The Digital Forensics and Investigations Unit was formed in 2015 but lacked a "strategic vision," according to the memo. The forensic team was forced to repurpose hard drives after being told to "use equipment due for disposal." Its 2017 hardware budget needed about half a million dollars more for full functionality, according to the report.
- After the forensics team concluded there was insufficient cybersecurity training and communication failings with the SEC's Office of Information Technology, it alerted Carl Hoecker, the SEC's internal watchdog. Hoecker developed the forensic unit and ran the Office of the Inspector General, but the office did not learn of the intrusion until months afterwards.
The SEC's filing software system, Electronic Data Gathering, Analysis and Retrieval (EDGAR), was infiltrated through a vulnerability despite administered patchwork. EDGAR houses about 50 million classified documents, and it is believed the intrusion may have led to "illicit gain through trading."
The revelation that an internal SEC tech team detected insufficiencies in its technical infrastructure before a devastating breach highlights the disconnect between security protocols and initiatives which reinforce them. It is clear the SEC's breach is not a matter of ignorance.
The SEC is not alone among federal agencies in its security mishaps. The Government Accountability Office (GAO) recently published its report on 24 various government agencies, which found the procurement of a security management program as a top shortcoming.
Cybersecurity mishaps are crippling public and private agencies. Although the SEC had a team equipped with knowledge of the agency's demands, many other organizations are not as lucky. Cybercrimes have increased about 62% over a five-year period, but about 60% of IT professionals say cybersecurity teams are understaffed or lacking the proper skill set.