Secret DHS Audit Could Prove Governmentwide Hacker Surveillance Isn’t Really Governmentwide

A secret federal audit substantiates a Senate committee's concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel's chairman says.

The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before.

At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. 

Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the "indicators" of the attack pattern so it could scan for matching footprints on other government networks.

But it has been a challenge to really gauge EINSTEIN’s smarts, when less than half of the civilian government is using the technology. Some agencies are reluctant to share citizen data in their custody with DHS, the operator of EINSTEIN.

The Senate Homeland Security and Governmental Affairs Committee wants all agency networks to be monitored by EINSTEIN to prevent another nation state attack.

And they say a classified Government Accountability Office report proves agencies still are not on board with the program, even after data breaches over the past two years at the departments of Interior and Energy, the U.S. Postal Service, the White House, background check providers and a list of other government offices too long to publish here. 

DHS restricted the audit for reasons it declined to disclose. GAO and Committee Chairman Sen. Ron Johnson, R-Wisc., say some of the material is national security sensitive, but expressed hope a redacted report will be published early next year. 

"The senator is highly in favor of DHS releasing a redacted version of the report so we can let the public know about what the problems are with EINSTEIN," a committee aide said. "It does reaffirm some concerns about EINSTEIN that the senator has been raising."

In July, Johnson and committee ranking Democrat Sen. Tom Carper, D-Del., introduced legislation to hasten the usage of EINSTEIN across the government by clarifying DHS' legal power to deploy the scanning machine and by mandating agencies use it. 

Why Doesn’t DHS Want the Report Public?

Last Thursday, GAO announced the release of the confidential report on EINSTEIN, or, as it's officially known, the National Cybersecurity Protection System. The audit is titled, "DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System."

This week, GAO spokesman Chuck Young said in an email "it is up to the agency involved, in this case DHS, to determine if the report needs to be restricted." However, he added, "we usually go back to the agency and subsequently try to edit the materials they were concerned about, with the hope of eventually releasing a public version" that does not contain sensitive information. 

"That is not always possible," Young said. "It depends on how much information the agency has flagged as restricted. But we do hope to do that in this case and expect to issue in early 2016."

DHS spokesman S.Y. Lee said the department had no information to add to GAO's comments.

As of October, the department was on track to make EINSTEIN available to all agencies by the end of the year, DHS Secretary Jeh Johnson testified to the House Homeland Security Committee that month. DHS had sped up rollout even before the OPM data breach came to light. 

The tool one day could spot never-before-seen hack campaigns, like the personnel records robbery, Homeland Security officials said. EINSTEIN is built to support future technologies that "will automatically identify suspicious Internet traffic,” even if “we did not already know about the particular cybersecurity threat," Andy Ozment, DHS assistant secretary for cybersecurity and communications, told Johnson's committee in June. 

Information-sharing Bill Would Make Network Scans Mandatory

The committee’s measure is inside the Senate-passed version of a sweeping information-sharing bill headed for reconciliation with a House-passed version next year. 

With EINSTEIN, DHS and agency Internet service providers -- CenturyLink, Verizon and, as of this month, AT&T -- scan inbound emails from citizens for malicious attachments and links, collecting email and location metadata.

The EINSTEIN legislation, like many parts of the Cybersecurity Information Sharing Act, or CISA, riles privacy advocates who say DHS would be empowered to access too much private information.

Internet service providers have countered that nobody has time to read personal details, because security personnel are too busy analyzing the flood of Internet activity for patterns.  

Greg Nojeim, senior counsel at the Center for Democracy and Technology, noted Oct. 22 that if DHS determines a cyber vulnerability represents a substantial threat to an agency’s information security, the bill gives the department the right to move forward with “any lawful action” for purposes of protecting the system.

“This seems problematic and overbroad,” he said in a post on his organization's blog. For example, "DHS could direct the Department of Justice to delete data in its criminal justice data base, or take its network off line, even if the attorney general and the technicians responsible for maintaining and securing the network disagreed with the DHS about the proper course of action to take... DHS could even issue such directives with respect to systems owned and operated by private companies on behalf of the agency.”

The executive branch, in October 2014, issued a policy stating DHS can scan any agency's networks without permission, but the guidance does not carry the weight of law. 

As of July, EINSTEIN was protecting 17 civilian agencies, representing about 45 percent of the federal civilian government, according to the DHS website. 

Because DHS has not told the public what agencies are using EINSTEIN, "it’s possible that when you email your representative, DHS may also receive a copy,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation, said Sept. 1. "Before codifying EINSTEIN, DHS must be more transparent about the program."