Are You There NCUA? It’s Me (Insert Credit Union)

The final pages of 2020 look a lot like these first pages of 2021. There are so many issues to worry about, but there’s one that appears to be potentially truly frightening for credit unions. For the moment, let’s put aside the actual pandemic that continues infecting and killing thousands of people every damn day. Let’s put aside the political mess of election lawsuits and attempts to toss out or ignore millions of votes that are happening because a distressing number of Republican politicians believe the election was stolen – without any evidence.

The issue I’m most worried about right now is the fact that we’ve been hacked.

About 20 miles to my south, there’s a formerly little-known tech company that develops software to help businesses manage their networks, IT infrastructure and all sorts of enterprise efforts.

Some weeks ago, the first reporting was published that this company was at the center of what could be the most prolific and historically-damaging hack of our country’s infrastructure, government and financial systems.

SolarWinds, this company we all now know about, was reportedly used by Russia to infiltrate hundreds federal agencies and businesses across the country, according to reporting by the New York Times and several other news outlets.

Reporting from tech organizations involved in the attack showed that the hack focused on finance, national security, health and telecommunications bodies.

While the U.S. government has been largely quiet about the manifestation of the hacking that went on for several months or even more than a year without detection, and the hack has not stopped, Microsoft and other organizations have raised red flags everywhere about the virtual fire raging through our servers. In fact, it wasn’t our nation’s official organizations in charge of our cyberdefenses, or our military’s Cyber Command or National Security Agency that reported the months-long hack by the Russians. It was a private organization, FireEye, that first sounded the alarm.

According to the New York Times, Sen. Mark Warner (D-Va.), who sits on the Senate ­Intelligence Committee, said, “And if FireEye had not come forward, I’m not sure we would be fully aware of it to this day.”

Microsoft has been uniquely open about its internal investigations early on. Initially the organization said its networks were not compromised. Microsoft amended that statement a few days later when it announced that the hack had indeed gone incredibly deep into its system and hackers were able to see original source coding for some of its products.

According to a recent blog post on Microsoft’s website, “The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. government and the tech tools used by firms to protect them. The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft.”

I’ve had two off-the-record conversations with credit union industry officials about the SolarWinds hack. I’ll characterize those brief chats this way: We don’t know much, we are very concerned and we are looking for help.

On Dec. 17, CUNA announced it had sent a letter to the NCUA about the cyberattack to express its concerns about the impacts on the regulatory agency. Below is a portion of the statement emailed to CU Times from CUNA:

The data breach, which is said to be the most significant cyberattack in recent history, corrupted the Orion IT monitoring platform to infiltrate systems across the country, including credit unions and other financial institutions.

“As the NCUA seeks to determine the attack’s impact on the agency and as credit unions do the same, CUNA members have two concerns,” CUNA President/CEO Jim Nussle wrote. “First, we urge the agency to be forthright in its communications with credit unions if it is determined that the agency is impacted. Second, we call on (the) NCUA to suspend the collection of data from credit unions until it can ascertain that its systems have not been and are not compromised.” 

In the letter, CUNA suggests that the NCUA consider issuing guidance to alleviate stress from impacted credit unions as the full scope of the data breach is yet to be determined due to the complexity of the attack.

As of this writing, the NCUA has not addressed the issue. We do not know if the NCUA has been impacted. We do not know if the NCUA is conducting its own investigation or audit of its network systems. We do know the Treasury Department, the Commerce Department, the State Department, the Pentagon and the Energy Department have all been compromised. We do know from reports that other federal regulatory agencies have also been compromised.

CUNA appears to be concerned and so are we.

Are we supposed to assume that no news is good news, and the NCUA is safe and secure because we haven’t heard otherwise? Is the NCUA considering the suspension of credit union data collection? Have they suspended data collection?

We understand that NCUA Chairman Rodney Hood is about to be replaced as soon as the new administration is sworn in later this month. We understand that the scope of this cybersecurity problem is massive and complicated. We understand the idea of punting this problem to the next administration could be very appealing, if that’s what is happening.

What isn’t happening is any communication about this issue to credit unions from its leading agency. Whether it’s good news or bad news, the NCUA needs to communicate something – anything – that could be reassuring or even some kind of guidance to let an entire cooperative financial industry know that the agency is at least thinking about this potentially disastrous problem.

As I’ve done before, I’ll give them an example of what they could say:

“The NCUA is aware of the SolarWinds cybersecurity issue and we are committed to investigating our network security thoroughly. Soon we will issue a report of our findings. In the meantime, we suggest unplugging your credit union, waiting a minute and then plugging it back in.”

In one of my off-the-record conversations about this, the person basically said that the hack is so large they don’t know where to start.

I applaud CUNA’s effort to, at the very least, indicate that the hack could be a real and damaging problem for credit unions. Frankly, we don’t officially know if it is or not.

I thought Bruce Schneier, a Harvard fellow and network security expert, put it best in an interview with the New York Times that the only way to be sure that a network is clean after this cybersecurity failure is “to burn it down to the ground and rebuild it.”

Are credit unions at risk? If so, what are those risks? Hello? Are you there? Anyone?

Michael Ogden is editor-in-chief for CU Times. He can be reached at mogden@cutimes.com.