China's spies hacked into computers at the Federal Deposit Insurance Corporation from 2010 until 2013 -- and American government officials tried to cover it up, according to a Congressional report.
The House of Representative's Science, Space and Technology Committee released its investigative report on Wednesday.
It presents the FDIC's bank regulators as technologically inept -- and deceitful.
According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the incredibly sensitive personal computers of the agency's top officials: the FDIC chairman, his chief of staff, and the general counsel.
When congressional investigators tried to review the FDIC's cybersecurity policy, the agency hid the hack, according to the report.
Investigators cited several insiders who knew about how the agency responded. For example, one of the FDIC's top lawyers told employees not to discuss the hacks via email -- so the emails wouldn't become official government records.
FDIC Chairman Martin Gruenberg is being summoned before the Congressional committee on Thursday to explain what happened.
The FDIC refused to comment. However, in a recent internal review, the agency admits that it "did not accurately portray the extent of risk" to Congress and recordkeeping "needs improvement." The FDIC claims it's now updating its policies.
Given the FDIC's role as a national banking regulator, the revelation of this hack poses serious concern.
The FDIC's role is to monitor any bank that isn't reviewed by the Federal Reserve system. It has access to extremely sensitive, internal information at 4,500 banks and savings institutions.
The FDIC also insures deposits at banks nationwide, giving it access to huge loads of information on Americans.
"Obviously it's indicative of the Chinese effort to database as much information as possible about Americans. FDIC information is right in line with the deep personal information they've gone for in the past," said computer security researcher Ryan Duff. He's a former member of U.S. Cyber Command, the American military's hacking unit.
"Intentionally avoiding audits sounds unethical if not illegal," he added.
Congressional investigators discovered the hacks after finding a 2013 memo from the FDIC's own inspector general to the agency's chairman, which detailed the hack and criticized the agency for "violating its own policies and for failing to alert appropriate authorities."
The report also says this culture of secrecy led the FDIC's chief information officer, Russ Pittman, to mislead auditors. One whistleblower, whose identity is not revealed in the report, claimed that Pittman "instructed employees not to discuss... this foreign government penetration of the FDIC's network" to avoid ruining Gruenberg's confirmation by the U.S. Senate in March 2012.
David Kennedy, a computer security expert and former analyst at the NSA spy agency, worries that federal agencies are repeatedly hiding hacks "under the blanket of national security."
"With such a high profile breach and hitting the top levels of the FDIC, it's crazy to me to think that this type of information wasn't publicly released. We need to be deeply concerned around the disclosure process around our federal government," said Kennedy, who now runs the cybersecurity firm TrustedSec.
This same committee, led by Republican Congressman Lamar Smith of Texas, has previously criticized the FDIC for minimizing data breaches.
Several cybersecurity experts -- who have extensive experience guarding government computers -- expressed dismay at the alleged coverup.
"It's incumbent upon our policymakers to know about these data breaches so we can properly evaluate our defenses. Trying to hide successful intrusions only makes it easier for the next hacker to get in," said Dan Guido, who runs the cybersecurity firm Trail of Bits.