Decades of funding shortfalls and tired legacy systems are to blame for the massive data breach at the Office of Personnel Management (OPM), says OPM Director Katherine Archuleta, who defended her agency and its staff under heavy questioning in Congress last week.
Case in point: OPM was using the most basic version of Einstein, the Homeland Security Department’s most sophisticated threat detection software. That version, Einstein I, is limited to perimeter defense. Einstein did help detect the threat, but not soon enough. And the early version OPM was using wasn’t able to neutralize the threat on its own.
The latest version, Einstein 3A – for “accelerated,” adds additional capabilities, including the ability to stop malicious traffic from harming networks by blocking malware installed on government networks from communicating with known or suspected domains.
Still, even if OPM had deployed the government’s most sophisticated threat-detection systems available, it’s unclear whether Einstein 3A could have stopped the intrusion.
Like most cyber detection systems, Einstein can’t spot malware it hasn’t seen before, explained Andy Ozment, Assistant Secretary at the Department of Homeland Security’s Office of Cybersecurity and Communications.
“The trick with Einstein is, as it currently is built, it has to know about a threat before it can detect or block it,” Ozment said Wednesday before the House Homeland Security subcommittee. “One layer of depth we need to provide is a layer that will help us detect and block intrusions we have not previously seen.”
In the Wall Street Journal, Damian Paletta wrote that Einstein made for an easy target for lawmakers, quoting Rep. Jason Chaffetz (R-Utah), the House Oversight and Government Reform Committee chairman, as calling the system “completely useless in the latest OPM hacks.”
Paletta also quoted Federal Chief Information Officer Tony Scott: “We should take a broad look across the federal government, look at our high-value assets, make sure we were comfortable with the kinds of security we have.”
Lawmakers clearly were not comfortable. FCW’s Sean Lyngaas reported that Sens. Ron Johnson (R-Wis.) and Tom Carper (D-Del.) intend to offer a bill to speed up deployment of Einstein and related security technologies.
Following the OPM breach, the White House issued a 30-day cybersecurity “sprint” for agencies to detect and address any flaws in their networks. But that response, too, came under criticism last week.
Former DHS Chief Information Officer Richard Spires, now CEO of Resilient Network Systems, testified at the Senate Appropriations financial services and general government subcommittee that 30 days is not enough time to fix serious system errors, and agencies are likely to uncover evidence of more significant breaches and security issues.
“It’s a management issue,” Spires told the committee. “The federal government has no properly managed IT. The resulting complexity makes it virtually impossible to secure such an environment.”