If there's an iron law of cybersecurity, it's that everyone gets hacked. It doesn't matter how big and powerful you are. They've hacked the Office of Management and Budget. They've hacked the NSA. They've even hacked Brazzers.
So we should have a little sympathy for the Securities and Exchange Commission, which announced Wednesday that they, too, had been hacked: an “intrusion of the Commission’s EDGAR test filing system.” But like Equifax before it, the SEC seemed to be laying it all out there for transparency's sake when really it was keeping quite a lot of detail close to its chest. Here's Chairman Jay Clayton's full remarks on the matter, which came sandwiched in the middle of a much longer statement on cyber risks at the agency:
Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.
Here's the relevant passage from the accompanying press release:
In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.
Though it should be clear, all the passive tense and murky chronology makes it somewhat difficult to get a coherent picture of what happened. Here's an attempt at a timeline, according to the above.
- For an unknown period of time: EDGAR test filing system has vulnerability.
- Sometime in 2016: SEC learns about vulnerability.
- “Promptly” thereafter: SEC fixes vulnerability.
- Perhaps concurrent with the above, perhaps not: SEC learns vulnerability was exploited, internal investigation commenced.
- August 2017: Hack may have led to insider trading.
The statement leaves vague how long it was, exactly, that the vulnerability existed. Also when, relative to discovering the vulnerability, they learned it had been exploited. Also why it took somewhere between eight and 20 months for them to learn that the hack “may” have led to insider trading. And finally, why they remain uncertain about this fact. We've got a lot of questions!
Granted, matters of cybersecurity are really touchy and hacked parties ought to be prudent before rushing out and telling the world they've been compromised. It can take ages to get to the bottom of something. And the Consolidated Audit Trail is still just an idea, so the SEC can't just wave a wand quite yet and know immediately who traded what when.
But we have to wonder whether tucking the announcement parenthetically within a long-winded and frankly boring speech about cybersecurity protocols is really the best way to let the public know that the nation's top securities watchdog – for which cybersecurity has become a chief focus – was itself hacked. Would the SEC be happy with this disclosure coming from a publicly traded company?
In some ways, that comparison isn't fair to the SEC. For one thing, the agency doesn't have shareholders. But for its own good, the agency needs to maintain trust with the public and model decent disclosure practices. Leaving all these gaping questions in what was already a strange statement does not instill confidence.