Forensic investigative unit was forced to use equipment tagged for scrap.
Last month, the Securities and Exchange Commission revealed a 2016 breach of a test system that allowed an unknown party to get access to unpublished corporate information in the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The breach potentially allowed the bad actors to profit from trades based on the information. SEC Chairman Jay Clayton revealed the extent of that breach in a policy statement on the importance of the commission's cyber-security mission. But just a few months before the SEC discovered the initial breach last year, as Reuters reports, members of the SEC's own internal digital forensics and security team wrote a letter bemoaning the lack of support they received from the agency's Office of Information Technology and SEC leadership.
In a memo sent to the SEC's inspector general, the head of the SEC's Digital Forensics and Investigations Unit complained that his team was woefully underfunded, undertrained, and forced to work with repurposed equipment and hard drives that had been designated by other branches of the SEC for disposal. The memo to SEC Inspector General Carl Hoecker, shared with Reuters by a congressional staffer, cited "serious deficiencies" in funding and support. The entire hardware budget for the unit was $100,000 for fiscal year 2017—half a million under the amount needed.
Normally, complaints to the inspector general of an agency get significant attention. However, in this case, the complaint was directed to Hoeker because he oversaw the unit. The Digital Forensics and Investigation Unit was created by Hoeker in 2015 not just for internal security investigations but so his office could play a role in the SEC's law enforcement role—providing forensic support to SEC criminal investigations. In a 2016 report to Congress, Hoeker described the role of the unit within the SEC Office of Investigations:
This new unit enhances the OIG’s investigative capability and assists in detecting, identifying, and protecting against threats to the SEC's sensitive information systems. Furthermore, the OIG has added auditors with information technology (IT) expertise. These staff will assist the OIG in continuing to perform its important oversight function as the SEC continues to make needed technological improvements to achieve its mission.
But that vision never clearly materialized—and for that part, neither did agency funding.
"Even though the [unit] has been in existence for over one year, there is no strategic vision and no clear objectives," the memo's author wrote. The memo also cited a lack of communications from the SEC's Office of Information Technology on internal IT security issues.
Two months after the August 2016 memo was written, the SEC detected a breach in EDGAR through an application in testing that provided access to live data. But it would take nearly a year for the SEC to determine the extent of the breach.
https://arstechnica.com/information-technology/2017/10/sec-hack-came-as-internal-security-team-begged-for-funding/More info on the EDGAR SEC hack. There were many questions surrounding how it happened, what the circumstances were which led to the breach being possible. Preliminary data appears to indicate those responsible for securing EDGAR were short staffed and received a mere fraction of the funding necessary to do their jobs properly. Hopefully as more data becomes available and we have a better illustration of what happened we'll have a better comprehension as to the implications of this.
