Secret DHS Audit Could Prove Governmentwide Hacker Surveillance Isn’t Really Governmentwide

Senate Foreign Relations Committee member Sen. Ron Johnson, R-Wis., questions Deputy Assistant Secretary of State Benjamin Ziff, on Capitol Hill in Washington, Tuesday, Nov. 3, 2015, during the committee's hearing entitled: "Putin's Invasion of Ukraine an

Senate Foreign Relations Committee member Sen. Ron Johnson, R-Wis., questions Deputy Assistant Secretary of State Benjamin Ziff, on Capitol Hill in Washington, Tuesday, Nov. 3, 2015, during the committee's hearing entitled: "Putin's Invasion of Ukraine an AP Photo/Andrew Harnik

The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following the OPM hack.

A secret federal audit substantiates a Senate committee's concerns about underuse of a governmentwide cyberthreat surveillance tool, the panel's chairman says.

The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered both ridicule and praise following a hack of 21.5 million records on national security employees and their relatives. The scanning tool failed to block the attack, on an Office of Personnel network, because it can only detect malicious activity that people have seen before.

At OPM, the attackers, believed to be well-resourced Chinese cyber sleuths, used malware that security researchers and U.S. spies had never witnessed. 

Still, EINSTEIN came in handy, according to U.S. officials, after the OPM malware was identified through other monitoring tools. The Department of Homeland Security loaded EINSTEIN with the "indicators" of the attack pattern so it could scan for matching footprints on other government networks.

But it has been a challenge to really gauge EINSTEIN’s smarts, when less than half of the civilian government is using the technology. Some agencies are reluctant to share citizen data in their custody with DHS, the operator of EINSTEIN.

The Senate Homeland Security and Governmental Affairs Committee wants all agency networks to be monitored by EINSTEIN to prevent another nation state attack.

And they say a classified Government Accountability Office report proves agencies still are not on board with the program, even after data breaches over the past two years at the departments of Interior and Energy, the U.S. Postal Service, the White House, background check providers and a list of other government offices too long to publish here. 

DHS restricted the audit for reasons it declined to disclose. GAO and Committee Chairman Sen. Ron Johnson, R-Wisc., say some of the material is national security sensitive, but expressed hope a redacted report will be published early next year. 

"The senator is highly in favor of DHS releasing a redacted version of the report so we can let the public know about what the problems are with EINSTEIN," a committee aide said. "It does reaffirm some concerns about EINSTEIN that the senator has been raising."

In July, Johnson and committee ranking Democrat Sen. Tom Carper, D-Del., introduced legislation to hasten the usage of EINSTEIN across the government by clarifying DHS' legal power to deploy the scanning machine and by mandating agencies use it. 

Why Doesn’t DHS Want the Report Public?

Last Thursday, GAO announced the release of the confidential report on EINSTEIN, or, as it's officially known, the National Cybersecurity Protection System. The audit is titled, "DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System."

This week, GAO spokesman Chuck Young said in an email "it is up to the agency involved, in this case DHS, to determine if the report needs to be restricted." However, he added, "we usually go back to the agency and subsequently try to edit the materials they were concerned about, with the hope of eventually releasing a public version" that does not contain sensitive information. 

"That is not always possible," Young said. "It depends on how much information the agency has flagged as restricted. But we do hope to do that in this case and expect to issue in early 2016."

DHS spokesman S.Y. Lee said the department had no information to add to GAO's comments.

As of October, the department was on track to make EINSTEIN available to all agencies by the end of the year, DHS Secretary Jeh Johnson testified to the House Homeland Security Committee that month. DHS had sped up rollout even before the OPM data breach came to light. 

The tool one day could spot never-before-seen hack campaigns, like the personnel records robbery, Homeland Security officials said. EINSTEIN is built to support future technologies that "will automatically identify suspicious Internet traffic,” even if “we did not already know about the particular cybersecurity threat," Andy Ozment, DHS assistant secretary for cybersecurity and communications, told Johnson's committee in June. 

Information-sharing Bill Would Make Network Scans Mandatory

The committee’s measure is inside the Senate-passed version of a sweeping information-sharing bill headed for reconciliation with a House-passed version next year. 

With EINSTEIN, DHS and agency Internet service providers -- CenturyLink, Verizon and, as of this month, AT&T -- scan inbound emails from citizens for malicious attachments and links, collecting email and location metadata.

The EINSTEIN legislation, like many parts of the Cybersecurity Information Sharing Act, or CISA, riles privacy advocates who say DHS would be empowered to access too much private information.

Internet service providers have countered that nobody has time to read personal details, because security personnel are too busy analyzing the flood of Internet activity for patterns.  

Greg Nojeim, senior counsel at the Center for Democracy and Technology, noted Oct. 22 that if DHS determines a cyber vulnerability represents a substantial threat to an agency’s information security, the bill gives the department the right to move forward with “any lawful action” for purposes of protecting the system.

“This seems problematic and overbroad,” he said in a post on his organization's blog. For example, "DHS could direct the Department of Justice to delete data in its criminal justice data base, or take its network off line, even if the attorney general and the technicians responsible for maintaining and securing the network disagreed with the DHS about the proper course of action to take... DHS could even issue such directives with respect to systems owned and operated by private companies on behalf of the agency.”

The executive branch, in October 2014, issued a policy stating DHS can scan any agency's networks without permission, but the guidance does not carry the weight of law. 

As of July, EINSTEIN was protecting 17 civilian agencies, representing about 45 percent of the federal civilian government, according to the DHS website. 

Because DHS has not told the public what agencies are using EINSTEIN, "it’s possible that when you email your representative, DHS may also receive a copy,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation, said Sept. 1. "Before codifying EINSTEIN, DHS must be more transparent about the program."  

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.