Einstein the only winner from another flaying of OPM on the Hill

Obama administration officials on June 25 took another round of verbal flaying from Congress over IT security practices in the aftermath of the devastating hack of the Office of Personnel Management. The two-hour-plus venting session saw OPM Director Katherine Archuleta defending her continued leadership and lawmakers struggling to pin down the timelines of multiple breaches at OPM. The only winner from the Senate Homeland Security and Governmental Affairs Committee hearing was a federal cybersecurity program known as Einstein: the committee’s ranking Democrat said he was readying fresh legislation to accelerate the program.

While noting that Einstein is “not a panacea” for cyber vulnerabilities, Sen. Tom Carper (D-Del.) said he and Chairman Ron Johnson (R-Wis.) were working on a bill to increase adoption of the program at civilian agencies while requiring that leading security technologies be deployed.

Begun in 2005, the Einstein program focuses on the perimeter of federal networks by installing sensors at Web access points, combing through that data for vulnerabilities and using security signatures to block malicious traffic. The program is now in its third iteration –  Einstein 3A (for “accelerated”) – which boosts security capabilities by leveraging classified information.

Less than half of the civilian side of the federal government has deployment Einstein 3A in one form or another, Andy Ozment, a top DHS official, told lawmakers. The assistant secretary in DHS’s Office of Cybersecurity and Communications said that Einstein, with its focus on network perimeters, is “necessary, but not sufficient” for civilian-agency cyber defense. Private security experts agree.

Though administration officials say Einstein helped detect the breach of the personal information of at least 4.2 million current and former federal employees, the program is but one discussion point in the post-mortem drama playing out on Capitol Hill.

Another is Archuleta’s continued tenure as OPM director. Several lawmakers either asked Archuleta directly or the other witnesses if she was fit to lead the agency. Fellow witness Tony Scott, the federal chief information officer, backed Archuleta’s leadership, but senators seemed less than convinced. Carper, for his part, noted that OPM has been without a Senate-confirmed deputy director for more than three years. Consideration of the nomination of retired U.S. Navy Rear Adm. Earl Gay has been held up by Sen. David Vitter over health care policy.

Archuleta defended her leadership and blamed the agency’s IT struggles on “decades of neglect” prior to her arrival and the challenges of managing legacy IT systems. But when OPM Inspector General Patrick McFarland was asked whether Archuleta had fulfilled her promise to improve the agency’s IT security policies by working closely with McFarland, he replied, “I don’t believe she’s fulfilled that commitment specifically with me.”

The OPM boss called for more resources to help shore up her agency’s cybersecurity, saying she plans to submit a request to lawmakers for more funding for IT security by the end of the week.

Longtime DHS CIO Richard Spires told lawmakers earlier this week that money was not the problem. ““It’s more of a management issue,” he said.