On the heels of the recently reported data breach at the Office of Personnel Management (OPM) which affected millions of current and former federal employees, the House Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies held a hearing to examine the Department of Homeland Security’s (DHS) efforts to secure government networks in light of the recent data breach on the OPM.
Subcommittee chairman John Ratcliffe (R-Texas) had harsh words for OPM, stating, “The magnitude of the latest breach at the OPM, and the impact it will have on tens of millions of Americans and our national security for decades to come, is simply unacceptable. OPM was warned about its poor IT security; yet we still found them asleep at the switch.”
Ratcliffe added, “To put it into perspective, OPM was responsible for safeguarding extremely sensitive data—personnel files and security clearance information for tens of millions of federal employees—yet OPM’s efforts to secure its network were laughable. The stakes were immense, yet the cybersecurity efforts were pathetic.”
GAO: federal information at increased risk from cyber attacks
During the hearing, the Government Accountability Office (GAO) testified that the OPM hack and other recent data breaches illustrate the need for strong controls across federal agencies.
As cyber threats continue to evolve, federal agencies face a number of obstacles challenging their ability to keep pace. These challenges include designing and implementing a risk-based cybersecurity program, enhancing oversight of contractors providing IT services, improving security incident response activities, responding to breaches of personal information, and implementing cybersecurity programs at small agencies.
“Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information, including sensitive personal information, will be at an increased risk of compromise from cyber based attacks and other threats,” GAO stated.
In an effort to bolster the federal cybersecurity posture, DHS and the Office of Management and Budget (OMB) have spearheaded a number of government-wide initiatives, including personal identity verification, continuous diagnostics and mitigation and the National Cybersecurity Protection System (NCPS).
GAO explained these initiatives as follows:
- Personal Identity Verification: In 2004, the President directed the establishment of a government-wide standard for secure and reliable forms of ID for federal employees and contractor personnel who access government facilities and systems. Subsequently, OMB directed agencies to issue personal identity verification credentials to control access to federal facilities and systems. OMB recently reported that only 41 percent of user accounts at 23 civilian agencies had required these credentials for accessing agency systems.
- Continuous Diagnostics and Mitigation: DHS, in collaboration with the General Services Administration, has established a government-wide contract for agencies to purchase tools that are intended to identify cybersecurity risks on an ongoing basis. These tools can support agencies’ efforts to monitor their networks for security vulnerabilities and generate prioritized alerts to enable agency staff to mitigate the most critical weaknesses. The Department of State adopted a continuous monitoring program, and in 2011 GAO reported on the benefits of the program and challenges the department faced in implementing its approach.
- National Cybersecurity Protection System (NCPS): This system, also referred to as EINSTEIN, is to include capabilities for monitoring network traffic and detecting and preventing intrusions, among other things. GAO has ongoing work reviewing the implementation of NCPS, and preliminary observations indicate that implementation of the intrusion detection and prevention capabilities may be limited and DHS appears to have not fully defined requirements for future capabilities.
GAO stressed they have made hundreds of recommendations in previous audits to assist agencies in addressing cybersecurity challenges and improve government-wide initiatives. While these agencies are critical to federal cyber efforts, no one solution will sufficiently protect against emerging cyber threats.
“While these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats,” GAO said. “Rather, agencies need to employ a multi-layered, “defense in depth” approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies.”
During the hearing, representatives asked pointed questions about why the department’s multibillion-dollar cyber traffic-monitoring system known as EINSTEIN failed to prevent intruders from breaching OPM and extracting sensitive files on millions of federal employees.
Security experts are concerned OPM has exposed the shortcomings of EINSTEIN during a crucial time where the nation is under siege by state and non-state actors. Homeland Security Today reported last month that Invincea’s founder and CEO, Anup Ghosh, believes DHS’s continuous diagnostics monitoring (CDM) and EINSTEIN programs will not detect advanced attacks.
Ghosh stated, “Instead, they are useful for discovering known attacks, usually long after the attacker has robbed the shop. The OPM compromise is likely the tip of the iceberg in discovering how pervasively the Fed is compromised. As more CDM and EINSTEIN tools that look retrospectively in logs and networks get deployed, there will likely be more disclosures of breaches.”
Assistant Secretary for DHS’s Office of Cybersecurity and Communications Andy Ozment said EINSTEIN 3 was not deployed at the Department of the Interior or OPM at the time of the attacks. Even so, Ozment told members of the committee no perimeter defense alone could have prevented the attacks.
“You cannot possibly say that you can prevent any given intrusion, but the more layers of security you have the more difficult you make it for an adversary,” Ozment stated.
Ozment explained that EINSTEIN protects the unclassified networks at the perimeter of each agency and provides situational awareness across the government, allowing threats detected in one agency to be shared with all others.
The first two versions of EINSTEIN – EINSTEIN 1 and 2 – identify abnormal network traffic patterns and detect known malicious traffic. EINSTEIN 3 Accelerated (EINSTEIN 3A), on the other hand, has the capability to actively block known malicious traffic.
In the case of the OPM breach, the agency was not yet using EINSTEIN 3. However, it did utilize an earlier version of the tool, EINSTEIN 2, which did its job and detected the OPM compromise. However, EINSTEIN 2 can only identify, not block, cyber intrusions.
DHS has accelerated its efforts to implement EINSTEIN 3A across the federal government. The system currently protects approximately 45 percent of the civilian government and has blocked nearly 550,000 attempts to access potentially malicious websites via one of its countermeasures.
In order to roll out EINSTEIN more quickly, Ozment said Congress needs to remove obstacles to the program’s deployment and resolve lingering concerns, especially those associated with privacy, among certain agencies.
“Some agencies have questioned how deployment of EINSTEIN under DHS authority relates to their existing statutory restrictions on the use and disclosure of agency data,” Ozment said. “DHS and the administration are seeking statutory changes to clarify this uncertainty and to ensure agencies understand that they can disclose their network traffic to DHS for narrowly tailored purposes to protect agency networks, while making clear that privacy protections for the data will remain in place.”
Whether or not DHS’ highly touted EINSTEIN and CDM programs will effectively block known and malicious cyber intrusions, they are not a silver bullet and the nation will need to utilize numerous tools in developing a defense in-depth strategy to countering the rising number of sophisticated cyber attacks.
During the hearing, RAND Corporation staff member Daniel Gerstein testified that, “The OPM data breach provides ample evidence that the government’s ability to sense threats in real time has not been adequate.”
According to Gerstein, EINSTEIN and CDM—the two foundational programs of DHS’s cybersecurity program—are “necessary but not sufficient to change the cost benefit calculus or provide sufficient defensive capacity to keep cyberattacks from penetrating US government networks.”
Gerstein believes the US is at a crossroads concerning cybersecurity. The OPM breach has proven that now is the time for the government to act. Moving forward, a comprehensive cyber strategy will be essential to securing government networks.
“Even with EINSTEIN and CDM, more will be needed to defend government networks in cyber space—developing doctrine for deterrence, denial, attribution, and response will be imperative,” Gerstein said. “It may also be time to reevaluate the US government information architecture.”