IRS isn’t alone with its struggle with EINSTEIN cyber program

Agencies are looking at a deadline of less than four months to implement the cybersecurity program known as EINSTEIN 3-Accelerated (E3A).

The Homeland Security Department says the government is making progress toward that Dec. 18 target, with about 66 percent of all large agencies using the software to detect and block cyber attacks.

But a recent letter to the IRS from Sen. Ron Johnson (R-Wis.), chairman of the Homeland Security and Governmental Affairs Committee, calls into question whether every agency really can or will meet the spirit and intent of the effort.

Johnson wrote to IRS Commissioner John Koskinen on Aug. 8 asking for answers after a recent briefing from DHS about the status of the EINSTEIN implementation effort across all of government.

What Johnson said DHS told the committee is alarming, to say the least.

“IRS is either unable or unwilling to implement the statutorily required mandates of CISA of integrating all levels of the EINSTEIN network protection tools on the IRS systems and for all IRS data. According to DHS, the IRS believes, based on other statutes, that IRS is exempt from these statutory requirements,” the letter stated. “The IRS’s refusal to adopt EINSTEIN protections is all the more concerning due to the vast amounts of personally identifiable information that the IRS collects on every American, as well as the IRS’s previous failure to protect this information.”

Sen. Ron Johnson is the chairman of the Homeland Security and Governmental Affairs Committee.
Sen. Ron Johnson is the chairman of the Homeland Security and Governmental Affairs Committee.

It turns out more letters similar to this may be coming from Johnson.

Multiple government sources say as many as three other agencies are in danger of falling short of the deadline and may be leaning on some sort of exception as to why they wouldn’t have to implement E3A.

Sources say the departments of Commerce, Labor and Agriculture are pushing back against DHS and the EINSTEIN program.

It’s unclear if the entire department or just a handful of the statistical bureaus are giving DHS indigestion.

Similar to the Federal IT Acquisition Reform Act (FITARA) where some agency chief information officers faced pushback from statistical bureaus, it could be that issue for chief information security officers (CISOs). In the end, federal CIO Tony Scott issued separate FITARA guidance for statistical agencies. Don’t expect him to issue separate guidance for cybersecurity protections, especially not with the threats increasing.

“We are adding agencies at a pretty rapid rate, but I am really focused on those agencies that are not yet covered,” said Andy Ozment, DHS’s assistant secretary of the Office of Cybersecurity and Communications within the National Protections and Programs Directorate, at a Aug. 24 cyber summit sponsored by FCW in Washington. “As we start getting closer to that deadline, the agencies that are struggling to get it done are all waiting to the end and we can’t onboard every agency at once, three days before the deadline. We don’t have the capacity to suddenly help every agency. So if your agency is not yet on E3A, the message I want you to take home is get moving and we are obviously working closely with all your agencies to make it happen.”

Ozment said DHS is working on this problem with the Internet Service Providers to implement E3A software at each agency’s Trusted Internet Connection. He said civilian agencies have about 65 TICs.

Publicly, at least two of the agencies, the IRS and Labor, are saying the right things.

An IRS spokesman said the bureau has every plan to meet the December deadline for EINSTEIN.

“The IRS continues to focus on cybersecurity and protecting taxpayer data. This remains a priority area even as the IRS budget has declined by $900 million since 2010,” the spokesman said. “The IRS has been a supporter of EINSTEIN since 2007, including implementing the EINSTEIN One and Two efforts. As a next step in hardening our network and detecting and preventing malicious traffic, the IRS will put in place Einstein 3 Accelerated (E3A) and is on track to implement before the Dec. 18, 2016 mandated date.”

Over at the Labor Department, a spokesman said they too are on track to implement E3A by December.

“The department has been supportive of the EINSTEIN program and is currently covered by EINSTEIN 2 services,” the spokesman said. “About 90 percent of our network traffic has been migrated to EINSTEIN 3 Accelerated (E3A), and we are working toward full implementation. We are on track to meet the E3A December deadline in accordance with the Federal Cybersecurity Enhancement Act of 2015. We greatly appreciate the support we have received from our partners in this effort, including the Department of Homeland Security and our private-sector vendor.”

Emails to Commerce and Agriculture asking about their E3A efforts were not returned.

Johnson asked for a response from the IRS by Sept. 18.

The question then comes back to what did Johnson hear from the DHS briefing that concerned him so much to write a letter? Where’s the disconnect between DHS and the IRS?

The pushback from statistical agencies seems to be a common theme here. The Census Bureau, for example, at one time had concerns over EINSTEIN because of the split in authorities under Title 11 where only bureau employees could access and handle specific data. If that Census data flowed through the EINSTEIN tools, the bureau, again previously, was concerned about DHS not having the authority to touch the data even from a basic cybersecurity level and not a content level. But that issues supposedly was fixed years ago.

The same challenge could be at Labor where the Bureau of Labor Statistics handles extremely sensitive data and the concern is whether adding EINSTEIN tools would put the information at risk of being seen by the wrong people. And when I say the wrong people, of course, we are talking about other than BLS employees.

But Congress took care of the concerns from statistical and other agencies in the Cybersecurity Act of 2015.

“Congress said to DHS, ‘You are authorized and in fact told to deploy EINSTEIN to cover and protect agencies.’ That was really important because for eight years we’d been struggling to get EINSTEIN deployed because some agencies were legitimately unsure whether the law allowed them to have EINSTEIN coverage because they had other statutes restricting who could see their data,” Ozment said. “So we got this authorization from Congress saying every other law is overridden and agencies have to sign up for EINSTEIN.”

There seems to be a bigger issue at hand here — trust. Why wouldn’t Labor or Commerce or USDA or the IRS trust DHS? These are employees cleared at the highest levels of government, reviewing the most sensitive data about every agency’s networks and working with the intelligence community and the Defense Department to thwart cyber attacks.

But they can’t be trusted with statistical data? Sorry, but something isn’t calculating here.

And then there is the definition of compliance under the law. Does that mean every agency’s Internet connection needs to be fitted with E3A software or just one or a few?

The legislation seems clear, saying each agency shall apply and continue to utilize these advanced cyber capabilities for all information traveling between an agency system and any other system.

Ozment said DHS is focusing on the largest agencies for the December deadline, but is ready to help out with the smallest ones.

The good news here is I’m told DHS is being more forceful with its oversight. One source says where in the past DHS tried to be collaborator and convener, it’s now yielding the stick a little more swiftly. This is a good thing given the state of federal cybersecurity and the ever-increasing threats and vulnerabilities. Any reluctant civilian agency thinking they can do a better job securing their networks than DHS should be met with a suspicious eye and expectation of proof.

Return to the Reporter’s Notebook

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.