House Panel Dents Budget for Cyber Tool That Scoped out OPM Breaches

A House committee has slightly undercut a White House budget request for Department of Homeland Security network surveillance technology integral to post-megahack cleanup.

Citing the cost of President Barack Obama's proposed pay raises and concerns about contracting for the tool, lawmakers passed a $474 million measure to fund EINSTEIN -- a roughly $5 million dent from the request.  

EINSTEIN looks for the telltale signs of intruders in government agency Web traffic. The "signatures" identified reveal known attacks, like the Office of Personnel Management espionage campaign that compromised 21.5 million individuals' Social Security numbers, personnel records and background investigations. 

Obama in February asked Congress for $479.8 million in fiscal 2016 to deploy the latest edition of the tool, E3A, across the government. This was before the administration in April used the technology to discover several intrusions related to the hacking campaign, thought to be a data raid on people who handle classified material.

The House Appropriations Committee's proposal, approved Tuesday by a 32-17 vote, "includes reductions to the request corresponding to the amounts associated with the pay raise assumed in the president’s budget, as well as reductions due to projected underexecution of personnel costs."

A Senate subcommittee, however, has assented to Obama's requested funding level. The two chambers now must reconcile differences in their DHS spending bills and take a final vote. 

The administration disclosed one of the two hacks at OPM on June 4 and days later told all agencies to check their systems for breaches using EINSTEIN over the next 30 days. The newest iteration, E3A, not only spots intrusions but can deflect incoming malicious traffic.

One indication of the OPM malicious software was reported at the National Archives and Records Administration, but turned out not to be that malware. Experts said they expected other agencies to find both older breaches and false alarms. 

Homeland Security -- which operates EINSTEIN -- is slated to award a contract for governmentwide activation by the end of 2015. 

A report accompanying Tuesday’s House bill voiced unease over business deals for the project, "which has experienced delays, and the overall efficacy of signature-based systems for the protection of networks.”

Right now, the security controls are delivered through three Internet service providers, AT&T, CenturyLink and Verizon. The committee wants DHS to broker working relationships with other ISPs to expand system capabilities.

EINSTEIN scans inbound emails from citizens for malicious attachments and links, collecting email and location metadata some civil liberties groups argue can be used for domestic surveillance.

A Senate committee postponed voting on a House bill, H.R. 1731, which would mandate agencies to funnel network traffic through EINSTEIN for tailored purposes.

Last week, in his first public remarks after revelations of the big cyber assault, DHS Secretary Jeh Johnson urged lawmakers to "expressly authorize the EINSTEIN program," as this would "eliminate any remaining legal obstacles to its deployment across the federal government."

EINSTEIN is intended to shield the network perimeter of each federal agency from attack, acting as a first layer of protection. 

The tool detects "known, prohibited adversaries that have entered or exited the fence, and alerts us to them," Johnson said. E3A is fed by signatures originating from the National Security Agency, as well as other classified and unclassified sources. 

Last Thursday, near the end of the White House-directed 30-day Cybersecurity Sprint, the administration said E3A covers 15 agencies and departments. Johnson said about 45 percent of the federal workforce is protected by E3A. 

The House legislation states Homeland Security "must continue improving its relationships with the departments and agencies participating in this program to better prepare those customers for the deployment of E3A."