The hackers who stole personal data on 4 million government employees from the U.S. Office of Personnel Management sneaked past a sophisticated counter-hacking system called Einstein 3, a highly-touted, multimillion-dollar and mostly secret technology that’s been years in the making.
It’s behind schedule, the result of inter-agency fights over privacy, control and other matters, and only about half of the government was protected when the hackers raided OPM’s databases last December.
It’s also, by the government’s own admission, already obsolete.
“Einstein 3 was state of the art two years ago,” said James Lewis, senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington. “It’s good, but it’s not enough, and we know that because the commercial security industry is already moving away from that kind of defense.”
The breach of OPM by hackers, linked by U.S. officials to the Chinese government, has focused attention on the shortcomings of Einstein 3, and by extension the troubled effort to secure government computer networks from sophisticated adversaries such as China and Russia.
Over the last several months, U.S. officials have said that perimeter-based defenses such as Einstein, even backed by the National Security Agency’s own corps of hackers, can never prevent break-ins.
Like banks and technology companies, government agencies must move to a model that assumes hackers will always get in, specialists said. They’ll need to buy cutting-edge technologies that can detect intruders inside networks and eject them quickly, before the data is gone.
Given the slow pace of government acquisition, the inter-agency rivalries and budget fights, though, the initiative may take several years or more to implement, leaving the possibility that the new technology will be old by the time it’s installed.
Congress has yet to act on the personnel agency’s Feb. 2 request for a $32 million budget increase for fiscal 2016, said Senator Angus King, a Maine independent, in an interview.
“Most of the funds,” the agency said, “will be directed towards investments in IT network infrastructure and security.”
The latest intrusion points to the need for Congress to pass a cybersecurity bill, White House Press Secretary Josh Earnest said. He stopped short of saying whether the measure would have prevented the OPM breach.
“It’s too early to determine at this point what precisely would have prevented this particular cyber-intrusion,” Earnest said Friday at a press briefing. “What is beyond argument is that these three pieces of legislation that the president sent to Congress five months ago would significantly improve the cybersecurity of the United States, not just the federal government’s cybersecurity, but even our ability to protect private computer networks.”
The personnel management office is accelerating the installation of Einstein 3 in civilian agencies to 2016 from 2018, and that decision was in the works before the extent of the OPM intrusion was discovered, Earnest said.
Republican leaders in the House of Representatives fired back.
“Where is the leadership?” said Cory Fritz, a spokesman for House Speaker John Boehner, an Ohio Republican. “The federal government has just been hit by one of the largest thefts of sensitive data in history, and this White House is trying blame anyone but itself. It’s absolutely disgusting.”
A similar message was sent by the office of the second-ranking House Republican, Kevin McCarthy of California. “This Administration is notorious for not working with Congress, but they could at least read the news,” said the statement. “Congress has, in fact, passed cyber legislation, and the House has been leading on this issue for years.”
Michael Brown, who until 2012 helped implement the Einstein technology as the director of cybersecurity coordination at the Department of Homeland Security, said the Einstein system must be augmented with newer technologies.
“Only a couple of weeks ago, the government made an important move, and said they recognized the need to increase visibility inside their networks,” Brown said. “I think you’ll see a move now to buy the technology necessary to do that.”
“It’s an admission that the Einstein program and other current programs are important but not sufficient,” he said.
King called the OPM hack, and an earlier one on Sony Corp. that was attributed to North Korea, “serious warnings, but not catastrophic, which attacks on the financial system, gas pipelines or the electric grid would be.”
He and others have called for more drastic measures, including developing offensive cyberweapons to retaliate against nations that attack the critical infrastructure of the U.S. or its allies, somewhat analogous to the nuclear threat of “mutual assured destruction” during the Cold War.
In the interview, King also suggested “air-gapping” financial, transportation, energy and other critical computer networks -- cutting their links to the Internet as has been done with some defense computer systems.
Much of the commercial security industry is already moving to technology designed to detect hackers as they move or alter data inside networks, known as defense in depth. Those technologies track flows of data inside networks, not just to and from the Internet.
When the government began rolling out Einstein 3 in 2012, it was cutting-edge.
It’s designed to stop attacks before they reach government computers. The five major Internet service providers -- Verizon Communications Inc., AT&T Inc., Sprint Corp., Level 3 Communications Inc. and CenturyLink Inc. -- use it to sniff the huge volume of data moving to and from sensitive networks and then use digital signatures to spot and delete hackers’ tools.
It cost $234 million in fiscal 2012, $406 million in 2014 and $378 million in 2015 to roll out Einstein 3, according to DHS budget documents. Costs for 2013 weren’t broken out.
At the same time, the system was plagued by fights over who would run it -- the Defense Department or DHS; spats with privacy advocates over whether it was too intrusive; and negotiations over the implementation with Internet providers.
Those negotiations and other problems slowed its installation, and as of June 6, 2015, the system is protecting 13 federal agencies and departments with less than half of all Federal civilian personnel, according to DHS.
One of the differences between Einstein 3 and its predecessor, Einstein 2, is that E3 uses highly classified data. Hackers working for the National Security Agency infiltrate the computers of rival nations and study their spies’ tools. That classified information is then fed into the Einstein system, supposedly allowing the technology to intercept those attacks.
It’s difficult to tell whether Einstein 3 failed to do the job or whether the hackers found holes in the system.
Officials say it did not detect the initial intrusion in December, but once it was discovered in April, digital signatures from the attack were fed into the system and helped spot the hackers in the networks of the Interior Department.
S.Y. Lee, a DHS spokesman, declined to say whether the hacked OPM database was protected at the time by Einstein 3, but security specialists say it may not have mattered.
Brown said the most elite hackers have already adjusted, using unique tools that haven’t been seen before and therefore don’t have digital signatures that can be detected by E3. Such attacks, which are costly because the infrastructure is only used once, are known as “one and done.”
The hackers also might have entered OPM’s computers by first infiltrating federal contractors, but that data still should have been scanned by E3, Brown said.
The slow deployment of Einstein 3 and the shift in the security landscape underscore why the Pentagon and others have been trying to forge new alliances with entrepreneurs in Silicon Valley and elsewhere.
Defense Secretary Ashton Carter spoke to technology leaders in Palo Alto, California, in April, tossing around ideas for recruiting engineers for temporary missions in government and meeting with Facebook Inc.’s Mark Zuckerberg and Sheryl Sandberg, among others.
“Last year, venture capitalists put $1 billion into cyber security and the government is trying to figure out how to tap into the technologies coming out of that,” said the CSIS’s Lewis. “Despite all of its advantages, the government is now trying to catch up to where the private sector is.”