Congress has launched investigation into FED’s cyber security

The Federal Reserve building in Washington

By Dustin Volz and Jason Lange

WASHINGTON (Reuters) – A U.S. congressional committee has launched an investigation into the Federal Reserve’s cyber security practices after a Reuters report revealed that the U.S. central bank had been hacked more than 50 times between 2011 and 2015.

The House Committee on Science, Space and Technology on Friday sent a letter to Federal Reserve Chair Janet Yellen to express “serious concerns” over the central bank’s ability to protect sensitive financial information.

The letter cited the Reuters report, which was based on heavily redacted internal Fed records obtained through a Freedom of Information Act request. The redacted records did not say who hacked the bank’s systems or whether they accessed sensitive information or stole money.

“These reports raise serious concerns about the Federal Reserve’s cyber security posture, including its ability to prevent threats from compromising highly sensitive financial information housed on the agency’s systems,” said the letter, signed by House Science Committee Chairman Lamar Smith, a Texas Republican, and Barry Loudermilk, a Georgia Republican and chairman of the panel’s oversight subcommittee.

The Fed had declined to comment on the cyber breaches reported by Reuters on Wednesday.

The panel asked the Fed’s national cyber security team – the National Incident Response Team – to turn over all cyber incident reports in unredacted form from Jan. 1, 2009, to the present. It also asked for incident reports from the Fed’s local incident response teams.

Global policymakers, regulators and financial institutions have become increasingly concerned about the security of the international banking system after a string of cyber attacks against banks in Bangladesh, Vietnam and elsewhere linked to fraudulent transaction messages sent across the global financial platform SWIFT.

The probe into the Fed’s security practices followed a separate inquiry by the same committee into the Federal Reserve Bank of New York’s handling of the cyber theft of $81 million from one of its accounts held by the central bank of Bangladesh.

The committee said it has jurisdiction over the Fed’s cyber security because the panel is tasked with oversight of the U.S. National Institute of Standards and Technology, an agency responsible for developing federal cyber security standards and guidelines, under a 2014 federal information technology law.

The panel also requested a “detailed description of all confirmed cyber security incidents” from 2009 to the present, all documents and communications referring or relating to “higher impact cases” handled by the Fed’s NIRT team, all documents and communications with the Fed’s Office of Inspector General related to confirmed cyber incidents, and an organizational chart detailing the Fed’s top cyber security personnel.

The committee requested a response to its inquiry by June 17.

(Reporting by Dustin Volz and Jason Lange; Editing by David Chance and Tiffany Wu)

Fed records show dozens of cybersecurity breaches

The Federal Reserve building in Washington

By Jason Lange and Dustin Volz

WASHINGTON (Reuters) – The U.S. Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage,” according to Fed records.

The central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.

The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures.

The Fed declined to comment, and the redacted records do not say who hacked the bank’s systems or whether they accessed sensitive information or stole money.

“Hacking is a major threat to the stability of the financial system. This data shows why,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. Lewis reviewed the files at the request of Reuters.

For a graphic on the Fed security breaches, see: http://tmsnrt.rs/1TxSu8R

The records represent only a slice of all cyber attacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws. Reuters did not have access to reports by local cybersecurity teams at the central bank’s 12 privately owned regional branches.

The disclosure of breaches at the Fed comes at a time when cybersecurity at central banks worldwide is under scrutiny after hackers stole $81 million from a Bank Bangladesh account at the New York Fed.

Cyber thieves have targeted large financial institutions around the world, including America’s largest bank JPMorgan, as well as smaller players like Ecuador’s Banco del Austro and Vietnam’s Tien Phong Bank.

Hacking attempts were cited in 140 of the 310 reports provided by the Fed’s board. In some reports, the incidents were not classified in any way.

In eight information breaches between 2011 and 2013 – a time when the Fed’s trading desk was buying massive amounts of bonds – Fed staff wrote that the cases involved “malicious code,” referring to software used by hackers.

Four hacking incidents in 2012 were considered acts of “espionage,” according to the records. Information was disclosed in at least two of those incidents, according to the records. In the other two incidents, the records did not indicate whether there was a breach.

In all, the Fed’s national team of cybersecurity experts, which operates mostly out of New Jersey, identified 51 cases of “information disclosure” involving the Fed’s board. Separate reports showed a local team at the board registered four such incidents.

The cases of information disclosure can refer to a range of ways unauthorized people see Fed information, from hacking attacks to Fed emails sent to the wrong recipients, according to two former Fed cybersecurity staffers who spoke on condition of anonymity.

The former employees said that cyber attacks on the Fed are about as common as at other large financial institutions.

It was unclear if the espionage incidents involved foreign governments, as has been suspected in some hacks of federal agencies. Beginning in 2014, for instance, hackers stole more than 21 million background check records from the federal Office of Personnel Management, and U.S. officials attributed the breach to the Chinese government, an accusation denied by Beijing.

TARGET FOR SPYING

Security analysts said foreign governments could stand to gain from inside Fed information. China and Russia, for instance, are major players in the $13.8 trillion federal debt market where Fed policy plays a big role in setting interest rates.

“Obviously that makes it a very clear (hacking) target for other nation states,” said Ari Schwartz, a former top cybersecurity adviser at the White House who is now with the law firm Venable.

U.S. prosecutors in March accused hackers associated with Iran’s government of attacking dozens of U.S. banks.

In the records obtained by Reuters, espionage might also refer to spying by private companies, or even individuals such British activist Lauri Love, who is accused of infiltrating a server at a regional Fed branch in October 2012. Love stole names, e-mail addresses, and phone numbers of Fed computer system users, according to a federal indictment.

The redacted reports obtained by Reuters do not mention Love or any other hacker by name.

The records point to breaches during a sensitive period for the Fed, which was ramping up aid for the struggling U.S. economy by buying massive quantities of U.S. government debt and mortgage-backed securities.

In 2010 and 2011, the Fed went on a $600 billion bond-buying spree that lowered interest rates and made bonds more expensive. It restarted purchases in September 2012 and expanded them up in December of that year.

The Fed cybersecurity records did not indicate whether hackers accessed sensitive information on the timing or amounts of bond purchases or used it for financial gain.

UP ALL NIGHT

The Fed’s national cybersecurity team – the National Incident Response Team, or NIRT – created 263 of the incident reports obtained by Reuters.

NIRT operates in a fortress-like building in East Rutherford, New Jersey that also processes millions of dollars in cash everyday as part of the central bank’s duty to keep the financial system running, according to the New York Fed’s website. The unit provides support to the local cybersecurity teams at the Fed’s Board and regional banks, which process more than $3 trillion in payments every day.

The NIRT handles “higher impact” cases, according to a 2013 report by the Board of Governor’s Office of Inspector General.

One of the two former NIRT employees interviewed by Reuters described being on a team that once worked around the clock for five-straight days to patch software hackers had used to gain access to Fed systems in an attempt to obtain passwords. The former employee worked through several of those nights, taking naps at a desk in the office.

In that case, Fed security staff found no signs that sensitive information had been disclosed, the former employee said. Information about future interest rate policy discussions is isolated from other Fed networks and is more difficult for hackers to access, the former NIRT worker said.

But the Fed was under constant assault, much like any large company, the former employee said, and was “compromised frequently.”

An internal watchdog has criticized the central bank for cybersecurity shortcomings. A 2015 audit by the Fed board’s Office of Inspector General found the board was not adequately scanning databases for vulnerabilities or putting enough restrictions on system access.

“There is heightened risk of unauthorized disclosure and inappropriate use of sensitive board information,” according to the audit released in November.

(Reporting by Jason Lange and Dustin Volz; Editing by David Chance and Brian Thevenot)

U.S. Federal Reserve set to keep rates unchanged

Federal Reserve Chair Janet Yellen holds a press conference in Washington

By Lindsay Dunsmuir

WASHINGTON (Reuters) – The U.S. Federal Reserve is expected to keep interest rates unchanged on Wednesday as it continues to monitor the impact from weakening global growth but may seek to signal to markets it is determined to resume policy tightening this year.

The Fed has held its overnight lending rate for banks at a target range of between 0.25 and 0.50 percent since it lifted the benchmark interest rate for the first time in a decade from near zero last December.

Since then the Fed has signaled more caution, despite the U.S. economy’s relative strength, as concerns a slowing China would depress global growth sparked steep stock price declines and tighter financial market conditions early in the year.

Fed officials reconvened Wednesday morning as scheduled for the second day of the two-day meeting, a Fed spokesperson said. A policy decision statement is due to be released at 2 p.m. EDT (1800 GMT). Fed Chair Janet Yellen is not scheduled to hold a press conference.

Markets have turned up since the last rate decision in March. The S&P 500 [.SPX] has risen more than 14 percent since mid-February. China’s economy has also shown more positive signs, growing at a 6.7 percent pace in the first quarter.

A Reuters poll of more than 80 economists showed expectations were for two rate increases this year, with the possibility the Fed will hike in June.

Additionally, some of the pressures that have kept inflation lower than the Fed would like have abated. Oil prices have rallied, with the Brent benchmark crude [LC0c1] up 20 percent to around $44 a barrel since the Fed’s December rate hike, while the dollar has dropped around 4 percent against a basket of currencies during the same period.

Those factors may allow the Fed to reinstate a balance of risks assessment in its statement, most likely a description of the risks to the U.S. economic outlook as “nearly balanced.”

Such phrasing is usually seen as prerequisite to policymakers even considering another rate rise. However, the U.S. central bank has tried to move away from forward guidance as it implements rate hikes.

The Fed may also acknowledge the recent improved market indicators by dropping or softening its March warning that global economic and financial developments “continue to pose risks.”

“If anything, Fed officials will likely want to encourage markets to price in more tightening than is being priced in currently,” said Jim O’Sullivan, an economist at High Frequency Economics, in a note.

Investors currently see zero chance the Fed will raise rates at this week’s meeting and see a 23 percent probability of a hike in June, according to an analysis of Fed Fund futures by the CME Group.

EYE ON THE DATA

The Fed may be wary of making too strong a judgment on the resilience of the U.S. economy come June until it has more data.

The global situation has already caused the Fed rate setters to dial back their estimates on the number of rate rises this year. Predictions from policymakers now show two, compared to four last December.

Other major central banks are grappling with ways to deal with lackluster growth. The Fed remains concerned that with interest rates still close to zero it would have to rely on more unconventional policy tools should the economy slow.

Last week the European Central Bank kept its main refinancing rate at zero and its bank overnight deposit rate in negative territory.

The Bank of Japan could cut its rates further into negative territory when it meets on Thursday.

U.S. data in the pipeline includes the initial estimate of first-quarter gross domestic product growth on Thursday, which is expected to be weak. Economists polled by Reuters predict 0.7 percent growth for the first quarter. The Fed will look for signs over the next few weeks that the economy is accelerating for the second quarter.

Another strong monthly jobs report in just over a week’s time could assuage concerns as would evidence a recent uptick in inflation is being maintained.

As such if there isn’t a balance of risks reinserted into April’s statement, “Fed officials could still use their speeches to manage market expectations higher,” if they decide on June, said Sam Bullard, an economist at Wells Fargo.

(Reporting by Lindsay Dunsmuir; Editing by Andrea Ricci)