Exclusive: SEC forensics unit sought resources, cyber training ahead of 2016 hack
WASHINGTON (Reuters) – In August 2016, just two months before the U.S. Securities and Exchange Commission discovered its corporate filing system had been hacked, the SEC’s internal watchdog, Carl Hoecker, received a plea for help from his new forensics investigative unit.
In a three-page memo that was shared with U.S. Congressional staff and seen by Reuters, the head of the forensics unit complained of “serious deficiencies” in equipment, inadequate cyber defense training, and a lack of communication with the SEC’s Office of Information Technology (OIT).
The forensics unit’s staff were told to use equipment due for disposal when they asked for supplies and ended up repurposing computer hard drives instead. Their hardware budget for the fiscal 2017 year at $100,000 was about half a million dollars short of what was needed, the memo said.
“Even though the (Digital Forensics and Investigations Unit) has been in existence for over one year, there is no strategic vision and no clear objectives,” it read.
The concerns in the memo, however, were never addressed, according to sources familiar with the matter, and the Office of the Inspector General (OIG), run by Hoecker, was not notified of the October 2016 breach of the SEC’s corporate filing system known as EGDAR until many months later.
In August 2017, nearly a year after the hack, the inspector general’s office was asked to review the incident after SEC Chairman Jay Clayton learned about it, according to sources.
Clayton will face questions about the security breach when he testifies before the U.S. House Financial Services Committee on Wednesday.
He has asked the inspector general’s office to launch a review into the intrusion. What role, if any, that the digital forensics unit will play in that review remains unclear.
Raphael Kozolchyk, a spokesman for the Office of the Inspector General, did not respond to more than half a dozen requests from Reuters for comment. Hoecker did not respond to an email seeking comment.
Christopher Carofine, a spokesman for the SEC, declined to comment.
The SEC has been criticized for the length of time it took to disclose the hack and the delay in uncovering its extent. Its cyber defenses and practices have been questioned in the past, including by auditors inside Hoecker’s office.
Hoecker created the forensics unit in 2015. Besides assisting with computer forensics on internal criminal and civil probes, the office was also charged with helping to identify “threats to the SEC’s sensitive information systems” and to provide “cyber security capability,” he told Congress in two public reports in 2015 and 2016.
The 2016 memo, however, raises questions about the inspector general’s handling of its own forensics unit and whether it could have been in a better position to respond to and investigate the problem when it was first detected in October 2016.
“With the recent breach, the SEC and the SEC OIG need to make sure they didn’t overlook any warnings or calls for improvements that might have prevented a breach,” Republican Senator Charles Grassley of Iowa told Reuters in a statement.
“An agency that protects the integrity of public securities has to be up to speed on threats and how to prevent them.”
The SEC’s Inspector General’s Office is an independent internal watchdog that is tasked with policing waste, fraud and abuse and is staffed with investigators and auditors.
While the inspector generals at some of the larger government agencies are nominated by the President, the SEC’s inspector general is hired by and answers to the agency’s commissioners.
Under Hoecker, the SEC’s Inspector General’s Office has undergone a major restructuring.
Prior to his arrival in 2013, the office’s investigative staff did not have any criminal law enforcement powers and focused primarily on administrative probes involving SEC employees.
But Hoecker decided to take advantage of a provision in federal law that allows inspector generals’ offices to have law enforcement powers. He hired special agents who can carry firearms, conduct criminal investigations, make arrests and execute search warrants.
The Digital Forensics and Investigations Unit was part of Hoecker’s plan to have more enforcement muscle so that his office could conduct criminal investigations into hacking and provide forensic support on investigations.
As part of that vision, the forensics unit proposed conducting a full review of the SEC’s computer network, and wanted to develop a reporting system with the Office of Information Technology to help keep track of all cyber incidents, according to government documents shared with congressional staff.
Despite that proposal, the inspector general’s office has not received real-time notifications of cyber incidents, according to sources, a public 2017 audit of the SEC’s information security program, and internal government documents seen by Reuters.
“It is not uncommon to have a big push to do a cyber security initiative and then have the organization be uncomfortable with the nature and type of initiative people are starting,” said Beau Woods, a cyber security expert with the Atlantic Council.
“It sounds like there is either a communications gap, or a leadership gap, or both, where the right information is not getting to the right people.”
The inspector general’s investigators have done few, if any, probes related to cyber intrusions and most of their investigations, ranging from time and attendance fraud by SEC staffers to ethics violations, have not led to criminal charges despite the efforts to step up the office’s enforcement powers.
From January 2013 through April 2017, of the 71 cases referred for criminal prosecution to U.S. Attorneys offices, a total of 50, or about 71 percent, were declined, according to statistics obtained by Reuters through a Freedom of Information Act request.
Reporting by Sarah N. Lynch; editing by Carmel Crimmins