The inspector general for the Federal Reserve is warning that a key database at the central bank needs more cybersecurity protections, according to a summary report.
Compiled in the wake of a security control review of the board’s Statistics and Reserves system, known as STAR, the report finds that overall, “the Division of Monetary Affairs and the Division of Information Technology have taken several steps to implement information security controls.”
But the inspector general staff warned that there are several cybersecurity deficiencies in the system.
“We found that improvements are needed in the Board’s security governance of STAR to ensure that information security controls are adequately implemented, assessed, authorized, and monitored,” the authors concluded.
The report includes six recommendations for improvements to security controls in certain areas, including planning, security assessment and authorization, contingency planning, auditing, access control, risk assessment and system, and information integrity.
Due to the extremely sensitive nature of the information, the report itself was not made public, only a brief executive summary was released Tuesday. As a result, it is not clear what specific cybersecurity flaws concerned the inspector general.
Chris Finan, a Silicon Valley technology entrepreneur and member of the cyber-steering committee at the Center for National Policy, said his concern is that hackers could exploit flaws to gain access to internal Fed statistical data. That feeds into a bigger trend in the cybersecurity space — fear that hackers are manipulating data to some other purpose, rather than simply stealing data for profit.
“One scenario: Hackers subtly manipulate the data to influence a Fed decision,” he said. “Another: Hackers manipulate the data in an obvious way to make the Fed lose confidence in the system as a whole, slowing a key decision.”
Overall, “the biggest risk to the Fed is probably a loss of data integrity and the impact that would have on decisions,” Finan said.
Hacking is not a new concern for the Federal Reserve. In 2013, Reuters reported that the Fed disclosed its systems had been breached in an attack that was publicized by the activist group Anonymous. In the wake of that attack, Fed experts scrambled to discover just how much damage had been done. Anonymous said it had published personal information for more than 4,000 American bank executives stolen from a password protected Fed website.
A spokesman for the Federal Reserve said the STAR system is used to process data for statistical reports received primarily from financial institutions. Data processed through this system are used to construct public releases such as the board’s weekly report on aggregate reserves of depository institutions and the monthly report on consumer credit.
“We have accepted the recommendations of the Office of Inspector General and are addressing all of them,” the spokesman said.