How the U.S. government hopes to stop the next big hack

After “the most successful cyberattack in the history of the United States” happened on her watch, almost everyone wants Katherine Archuleta fired.

As director of the Office of Personnel Management (OPM), Archuleta has watched the toll of the year-long breach skyrocket from theft of the sensitive data of 4 million federal employees to 18 million to perhaps as many as 32 million—including FBI agents and military officers.

“For any agency to disregard its data security for so long is grossly negligent,” House Oversight Chairman Jason Chaffetz (R-Utah) said in a tense hearing in what’s been a month of sharp criticism. Chaffetz says he wants her gone; and he’s got a lot of company, included a half dozen congresspeople and Republican 2016 presidential candidate Jeb Bush, the former governor of Florida.

The Obama administration says that the cyberwar waged against the U.S. on multiple fronts is a “national emergency.” But while lawmakers and agency heads bicker over the details of the OPM hack and lay the bulk of the blame at Archuleta’s feet, a more important question remains: Whose job is it to protect the U.S. government from hackers?

Stupid Einstein

On the very front line, the Department of Homeland Security (DHS) is responsible for security of the government’s cyber and communications infrastructures. Constant monitoring, incident response, and management center make DHS the first defender to beat for any attacker.

Homeland Security’s  National Cyber Security Division is supposed to detect any intrusion into government networks with their Einstein program, which inspects packets entering and exiting

U.S. government networks and reports anomalies.

“The idea of a cybershield securing our networks is a dangerous illusion.”

With the OPM hack, Einstein failed for months to detect breaches that were eventually found starting with private-sector security.

Einstein is a decade-old program that’s been through three iterations and about $4.5 billion in development. But it’s slow to execute, and it takes government developers years to build and roll out new versions. Einstein 3 has been in development and deployment for over half a decade. As of 2014, the newest version of Einstein actively protected 500,000 federal users out of nearly 3 million active employees, according to the U.S. government.

None of the three versions of Einstein has ever been deployed across all civilian government.

The newest version of Einstein is able to “shoot down” attackers before they have an impact. That sounds good in theory, but the program wasn’t deployed to OPM at the time of the hack—and still isn’t today. The newest version, Einstein 3 Accelerated (3A), detects and blocks intrusions Einstein is already aware of but cannot “detect and block intrusions we have not previously seen,” Assistant Secretary for the DHS’s Office of Cybersecurity and Communications Andy Ozment told Congress. Einstein 3A is not yet being used by the federal government.

Some in law enforcement hope that a new law like the Cybersecurity Information Sharing Act (CISA) will give Homeland Security more information from both the private and public sectors to use in bolstering defenses. CISA has been criticized by privacy advocates as hyperaggressive and overbroad.

“The goal of Einstein 3 is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response,” according to the White House. “It will have the ability to automatically detect and respond appropriately to cyberthreats before harm is done, providing an intrusion-prevention system supporting dynamic defense.”

Insecure homeland cybersecurity

Homeland Security’s cyber-prowess has faced strong criticism since well before the OPM hack was revealed. A January 2015 U.S. government report said the DHS is “struggling to execute its responsibilities for cybersecurity, and its strategy and programs are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”

The DHS didn’t patch and upgrade its systems when necessary, according to the report, and “the idea of a cybershield securing our networks is a dangerous illusion.”

Homeland Security and Congress “should fundamentally rethink DHS’s strategy for safeguarding and securing cyberspace,” according to the report, which was led by former Sen. Tom Coburn (R-Okla.), a 10-year veteran of the Senate Homeland Security and Governmental Affairs Committee.

The report’s authors didn’t know it at the time, but the OPM hackers had already been inside federal networks for months by the time of the report’s publication.

Bring in the big guns

When the situation calls for it, Homeland Security can call in heavy support: The National Security Agency (NSA). The NSA is responsible for protecting the government’s classified or critical military networks but not, at least on a daily basis, civilian networks like OPM—at least until DHS needs the help.

The NSA’s intelligence on foreign cyberthreats is leveraged to let Einstein know exactly what sort of threats it has to know are coming. NSA’s Information Assurance Directorate delivers threat data, engineering manpower, and training support.

The newest version of Einstein, 3A, uses classified information from sources like the NSA in defense of the civilian government.

Einstein 3A is projected to be rolled out and “offer high-impact protection capabilities” to all federal civilian agencies in 2016, according to Homeland Security, a 2-year jump on the original delivery date of 2018 costing $497.8 million in Homeland Security’s 2016 budget.

Security limits

Even when Einstein 3A is fully rolled out, however, it’s meant to lower risk—but it can’t stop every attack.

To a large extent, every individual agency within the government is responsible for its own cybersecurity. As a result, it’s been Congress, which has spent the last month pointing fingers at OPM, that’s received quiet but pointed criticism due to the anemic budgets they’re setting up for cybersecurity.

“When you look at why do these events happen? Well, they’re drastically underfunded.”

“I think Congress needs to look at itself,” Robert Knake, senior fellow for cyber policy at the Council for Foreign Relations, argued late last month. “When you look at why do these events happen? Well, they’re drastically underfunded.”

Knake walked through several of the key causes of the OPM hack and asserted that preventing the next breach meant Congress had to allocate more funds to cybersecurity budgets.

“Having contractors outside of the United States working on these systems, those were driven by costs,” he said. “You have this entirely undefensible architecture, you have these legacy systems that need to be replaced that are not defendable. To then point fingers at the head of an organization and say, ‘You failed,’ well, what was she supposed to do?”

Not using encryption on sensitive data was a crucial oversight made by Archuleta, who had no cybersecurity staff until 2013 and is now planning to hire a security advisor by August 1. OPM didn’t even keep logs of network traffic—so investigators can’t even completely reconstruct the break-in—likely because the costs were too high.

The fact that a major U.S. government agency moved at a glacial pace on an obviously crucial issue, and that almost no one in power noticed until many millions of sensitive records were stolen, strongly suggests that the problems go far deeper than Archuleta and are more widespread than OPM.

“This is not shame on China,” Michael Hayden, former director of the NSA and Central Intelligence Agency, said when the hacks first emerged. “This is shame on us.”

Hayden’s argument, which has become a common refrain by government officials, is that the OPM hack is traditional espionage that the U.S. should have seen coming.

Doubts about DHS

Although some have suggested that Homeland Security must be responsible for cracking the whip and making sure that federal agencies’ cybersecurity is in shape, it’s not at all clear how that process would work or how DHS would enforce their authority.

Worse: It’s not clear DHS would do a very good job of it.

“This is not shame on China. This is shame on us.”

Here’s a worrying example. In 2012, Microsoft announced that Windows XP would not be supported for security patches and updates after April 2014. Homeland Security issued a warning to government agencies about the dangers of running unsupported operating systems in March. After the deadline came and went, however, Homeland Security kept running Windows XP on numerous systems.

The Government Accountability Office reported in 2014 that Homeland Security has struggled with cybersecurity on its own turf. U.S. ports never received a full cybersecurity risk assessment and DHS’s Domestic Nuclear Detection Office was not implementing “critical security patches” or performing “wireless security scans of its facilities to identify non-DHS wireless access points operating within close proximity.”

In the wake of one of the worst hacks in U.S. government history, the frontline defenses will be the subject of much scrutiny over the next year as cybersecurity is elevated to one of government’s most important priorities—no matter what happens to Katherine Archuleta. 

Photo via Albert Einstein (PD) | Remix by Jason Reed

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.