SBA defends data exposure response
The notification of companies whose data had been exposed by the Small Business Administration's effort to set up advanced electronic emergency loan portals was slowed by a contracting issue, the agency's deputy CIO told Congress.
Notification of a potential personal data exposure for 8,000 small business loan applicants seeking to keep payrolls humming during the COVID-19 pandemic took longer than the Small Business Administration wanted because the agency had to cut a contract for credit monitoring services for victims, the agency's deputy CIO told a House business subcommittee on Wednesday.
"I would have liked that to be faster, but that is how long it took to get there," Guy Cavallo, SBA deputy CIO told a July 22, House Small Business Committee's Subcommittee on Investigations, Oversight and Regulations. Cavallo told the subcommittee, SBA worked as quickly as possible both to close the data exposure, as well as to notify those businesses whose data may have been affected.
Closing the exposure took hours but notifying potential victims took far longer, according to Cavallo, because SBA had to line up a contract to provide them with free credit monitoring services.
Cavallo's response was to an inquiry from subcommittee Chairwomen Rep. Judy Chu, D-Calif., about why SBA took until April 15 to issue letters to those businesses potentially affected, when the exposure happened on March 25.
The "data exposure," SBA's Economic Injury Disaster Loans (EIDL) applicants experienced back in March, was fixed in three and a half hours, said Cavallo, but the process to provide free credit monitoring services to those potentially affected took longer because the agency didn't have a current contract with a credit monitoring services vendor to provide those services.
"We had to go to GSA [General Services Administration] to compete it," he said. "We did that on March 29th through 30. Once awarded, the vendor reviewed the logs and found that some didn't have valid addresses and information" that needed to be corrected, he said
Cavallo clarified to Chu that the March incident was not a data breach, but a potential data exposure. Both are serious, he said, but a data breach means bad actors have access to the data for prolonged periods, even potentially downloading it. Data exposure, he said, is more fleeting.
Chu said the incident "shows there clearly needs to be improvement in SBA's IT," also citing a 2014 Government Accountability Office study that found SBA's IT was unprepared for a disaster event that required a massive response.
Under the leadership of SBA CIO Maria Roat, said Cavallo, the agency IT office has been working feverishly since 2016 to implement commercial cloud platforms that are more modern and responsive than legacy systems.
That work, he said, laid the groundwork to create flexible, scalable support for EIDL, Payroll Protection Plan, customer service hub and other small business support platforms in its COVID-response. All of those platforms were implemented within eight days, he said. Some initial glitches, such as delays in access to the small business disaster loan portal for applications, were eased by the cloud platforms' flexibility, he said.
The work SBA has put in over the last three and half years to implement cloud has also allowed it to quickly advance what had been lagging cybersecurity, he said.
According to the Committee on Oversight and Government Reform's Federal Information Technology Acquisition Reform Act (FITARA) scorecard, SBA has made improvements to its IT infrastructure overall, but is still scoring a "D" on cyber security, said Chu in her opening statement . "This is particularly concerning given the cyber security breach that occurred with the EIDL application."
During his testimony, Cavallo pointed to two pilot programs it has been doing with the Department of Homeland Security to understand cloud–based Continuous Diagnostics and Mitigation (CDM) and Trusted Internet Connections (TIC), as proof SBA is making significant progress on cybersecurity.
"Otherwise, DHS would not have selected use to pilot two critical cybersecurity pilots that have changed federal policy," he said.