SEC hack came as internal security team begged for funding

Last month, the Securities and Exchange Commission revealed a 2016 breach of a test system that allowed an unknown party to get access to unpublished corporate information in the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The breach potentially allowed the bad actors to profit from trades based on the information. SEC Chairman Jay Clayton revealed the extent of that breach in a policy statement on the importance of the commission’s cyber-security mission. But just a few months before the SEC discovered the initial breach last year, as Reuters reports, members of the SEC’s own internal digital forensics and security team wrote a letter bemoaning the lack of support they received from the agency’s Office of Information Technology and SEC leadership.

In a memo sent to the SEC’s inspector general, the head of the SEC’s Digital Forensics and Investigations Unit complained that his team was woefully underfunded, undertrained, and forced to work with repurposed equipment and hard drives that had been designated by other branches of the SEC for disposal. The memo to SEC Inspector General Carl Hoecker, shared with Reuters by a congressional staffer, cited “serious deficiencies” in funding and support. The entire hardware budget for the unit was $ 100,000 for fiscal year 2017—half a million under the amount needed.

Normally, complaints to the inspector general of an agency get significant attention. However, in this case, the complaint was directed to Hoeker because he oversaw the unit. The Digital Forensics and Investigation Unit was created by Hoeker in 2015 not just for internal security investigations but so his office could play a role in the SEC’s law enforcement role—providing forensic support to SEC criminal investigations. In a 2016 report to Congress, Hoeker described the role of the unit within the SEC Office of Investigations:

Read 3 remaining paragraphs | Comments

Biz & IT – Ars Technica