The Department of Homeland Security says it is ramping up its efforts to detect cyber threats against agencies both inside their networks and at the points at which they intersect with the public Internet. One key element of the government’s threat detection strategy almost will be entirely in place by the end of September.
DHS’s current plan would buy enough hardware and software to cover 97 percent of all non-defense agencies’ IT systems with the first phase of its Continuous Diagnostics and Mitigation (CDM) program by the end of this year, Andy Ozment, the assistant secretary for the Office of Cybersecurity and Communications told the House Homeland Security Committee Wednesday. As of now, CDM has been implemented at just eight agencies, representing about half the users on the civilian side of the government.
CDM – at least in its first phase – is designed to scan agency networks on an ongoing basis to look for known cybersecurity vulnerabilities. Later phases will look for unauthorized activity by users on federal networks and seek out other ‘anomalies’ on networks.
Meanwhile, DHS says the latest iteration of its EINSTEIN program, known as 3A, is up and running for about 45 percent of the government – 20 percent more than nine months ago.
While CDM is designed to watch for threats inside networks, EINSTEIN is meant to spot them as they traverse their way between the public Internet and any system operating in the broad dot-gov domain. Where the system has been deployed, it has already blocked more than 500,000 connections to malicious websites.
And in the wake of the OPM data breach, the department is in a hurry to spread its adoption, along with CDM to the rest of the government as quickly as possible.
“There’s a caveat though: the deadlines we’re talking about are when DHS will provide the capability,” Ozment said. “It’s going to take a few additional months for each agency to fully implement both EINSTEIN and CDM once the services become available. And each agency must supplement them with additional tools that are appropriate to the agency.”
But DHS sees the deployment of EINSTEIN 3A as a high priority because it has the capability to stop malicious network traffic automatically and in real-time, unlike prior versions of the system, which merely notify network administrators when something appears to be amiss in the dot-gov world.
But the department says the rollout has been hampered by several factors, including the fact that Congress has never explicitly agreed to authorize EINSTEIN, resulting in potential conflicts with existing laws that seem to restrict individual agencies’ ability to share information with DHS and the broader government.
Also, the deployment depends on private-sector Internet service providers’ ability and willingness to embed the EINSTEIN technology into the network connections they deliver to various federal agencies. Ozment said the government’s main ISPs have been able to do so, but DHS is looking at workarounds for providers that haven’t yet. One barrier is the fact that unlike prior versions, EINSTEIN 3A requires the use of classified information.
Neither the Office of Personnel Management nor the Department of the Interior – which houses some of the data centers involved in the breach – were covered by 3A because they had not struck the necessary agreements with their ISPs by the time the breach occurred.
Ozment said both agencies were relying on prior versions of EINSTEIN, which, he said, worked as they were designed. While it may be cold comfort to the millions of federal employees whose personal data was stolen, even the more rudimentary version at least allowed the government to detect the massive data theft, something it probably could not have done without EINSTEIN.
“OPM rolled out security capabilities in accordance with a security mitigation plan we provided them last May, and they caught an intruder on their networks and then shared the cyber threat indicators with us. We took those indicators and put them into the EINSTEIN system,” he said. “With EINSTEIN 2, we were able to look back in time and saw that Interior had suffered an intrusion. We were able to figure out exactly what was exfiltrated and from what computers. In this case, it turned out to be OPM data, and that’s the 4.2 million records you’re now reading about in the media.”
But it’s still far from clear that even the upgraded version of EINSTEIN could have detected the OPM intrusion sooner, let alone prevented it in the first place. That’s because the latest system still can’t detect threats unless EINSTEIN has signatures in its database that match up against the activities of an attacker.
“The trick with EINSTEIN is that it has to know about a threat before it can detect it or block it,” Ozment said. “It’s a necessary tool, but it’s not sufficient. As we roll it out across the breadth of government, we need to focus too on the depth of the capability it offers, and one thing we need to do is add the capability to detect and block intrusions that we have not previously seen. That can get risky, because it’s going to give you some false positives and you’re going to block some legitimate network traffic. But I think that’s a risk we are going to have to take.”
OPM has been heavily criticized for failing to encrypt the data that was stolen in the breach, but Ozment said that even if the agency had been able to retrofit its legacy systems to accomplish encryption, it probably would not have helped.
That’s because the attackers already had access to administrative credentials, giving them free rein over the systems in question. So any encrypted data would have been automatically and instantaneously decrypted by OPM’s own systems and sent directly to the attackers anyway.
“Think about this as a computer network being an apartment building,” Ozment said. “Each tenant has their own key, but the attackers secretly stole and copied the superintendent’s entire key ring.”
The OPM attackers’ method of access has not been fully disclosed, but several members of Congress wondered whether some type of two-factor authentication could have prevented the breach.
Ozment deferred several such questions to the Intelligence Community, but strongly endorsed two-factor authentication as one “important” security layer.
The U.S. government, in theory, has such a scheme in place via its Personal Identity Verification (PIV) cards, which require users to insert a physical credential into their computers before they are allowed to access certain information technology systems.
But according to the Government Accountability Office, only 41 percent of federal government users are actually required to use those PIV cards to gain access to federal IT systems, despite a White House directive that was issued more than a decade ago.