By Cory Bennett – June 9, 2015
The main system used by the federal government to protect sensitive data from hacks has been plagued by delays and criticism that it is already outdated — months before it is even fully implemented.
The Einstein system is intended to repel cyberattacks like the one revealed last week by the Office of Personnel Management (OPM) — a breach now believed to be the worst in the government’s history.
Four million federal workers had sensitive data exposed in the hack, with that information now thought to be part of a Chinese database that could help Beijing steal U.S. secrets.
Critics say Einstein has been a multibillion-dollar boondoggle that is diverting attention away from the security overhaul that is needed.
“I’ve spoken to government agencies — it is frightening what I hear from them,” said Hitesh Sheth, CEO of Vectra, which helps companies monitor their networks. “They’ll tell me, ‘We have 10-year-old technology. We are going through a review period. Maybe in nine months we’ll get around to upgrading our firewall.’ ”
Even advocates of Einstein acknowledge that federal protections are not adequate.
“The capabilities are necessary but in no way near sufficient to be able to counter the threats we see today,” said Michael Brown, a former director of cybersecurity coordination for the Department of Homeland Security (DHS), who worked on the Einstein rollout.
“It’s just not agile enough,” said Christopher Cummiskey, a former acting undersecretary for management at the DHS who oversaw a number of the agency’s cyber efforts. “You’re always going to be behind the curve.”
Lawmakers and security specialists are hammering the Obama administration over its repeated inability to keep digital intruders out of its system, with the OPM breach being just the latest example.
“Where is the leadership?” asked Cory Fritz, a spokesman for Speaker John Boehner (R-Ohio). “The federal government has just been hit by one of the largest thefts of sensitive data in history, and this White House is trying blame anyone but itself. It’s absolutely disgusting.”
President Obama acknowledged that one of the United States’s problems is that it has a “very old system.”
“What we are doing is going agency by agency and figuring out what can we fix with better practices and better computer hygiene by personnel, and where do we need new systems and new infrastructure in order to protect information,” he said at a Monday press conference in Germany, where he was attending the Group of Seven summit of leading industrial nations.
The administration isn’t close to where it needs to be on cybersecurity, says the Democratic co-chairman of the Congressional Cybersecurity Caucus.
“We can expect to continue to see these kinds of cyber attacks and intrusions until we get much better at defending our cyber networks,” Rep. Jim Langevin (D-R.I.) told The Hill. “That is troubling and unfortunate.”
A spokesman for the DHS said the agency does what it can to contain cyber threats.
“Cybersecurity is about risk management, and we cannot eliminate all risk,” DHS spokesman S.Y. Lee said. “When incidents do occur, as in this case, DHS provides on-site support to find the adversary, drive them out, and restore service.”
For the past decade, the DHS has focused on hardening agency networks by bolstering perimeter defenses with Einstein.
The program is fed information about nefarious digital intruders, and then it keeps watch for them on the perimeter. It also looks out for sensitive data leaving the system.
“With Einstein, largely it’s detecting threats we already know about,” Cummiskey said. “It isn’t as good at recognizing things we haven’t seen.”
To offset those shortcomings, officials in recent years started rolling out a Continuous Diagnostics and Mitigation (CDM) program, which searches for nefarious actors once they’re already in the networks. It’s meant to complement and eventually integrate with Einstein.
The program now covers about half of government networks, with the goal of having full coverage by the fall of 2016. Einstein is also expected to be fully in place by that time.
The government recently pushed up both dates by two years; federal networks are increasingly being pounded and cracked by cyberattacks.
Because OPM handles such large volumes of employee data — including background checks and Social Security numbers — it is one of the first agencies to receive the new security programs. But the Department of Interior, which housed the OPM data center that was apparently compromised, isn’t as high on the list.
Hackers know this, Cummiskey said. “It’s kind of the weakest link approach,” he explained.
Critics have also questioned the program’s efficacy.
The OPM infiltrators were reportedly roaming around the agency’s networks for at least four months before being discovered.
“It’s still unclear about how long they have been sitting on the network,” Langevin said.
The hack isn’t the first time officials have needed time to find digital intruders quietly snooping on their networks. An intrusion last fall at the U.S. Postal Service took weeks to discover.
Sheth believes the pattern will continue under the current security strategy, which he described as the victim of slow bureaucracy.
“Well intentioned and way too late,” he said. “At a national level, this cannot sustain. … They don’t have a fire under their butt.”