Bill Would Mandate Agencies Use Einstein ProgramMeasure Aims to Hasten Adoption of Intrusion Prevention System
Could a change to federal law help prevent breaches such as those at the Office of Personnel Management that exposed the private information of more than 22 million individuals? Sen. Ron Johnson thinks so.
See Also: HIPAA Audits: A Revised Game Plan
Johnson, the Wisconsin Republican who chairs the Senate Committee on Homeland Security and Governmental Affairs, and the panel's ranking Democratic member, Tom Carper of Delaware, introduced on July 27 the Federal Cybersecurity Enhancement Act of 2015, which would require federal agencies to implement the government's Einstein intrusion protection program.
(Update: The Senate Homeland Security and Governmental Affairs Committee approved the legislation on July 29. )
"Had the powers of this bill been implemented already, they likely would have stopped the hack of the Office of Personnel Management," Johnson said in announcing the legislation. "They will make it far more difficult for our adversaries to steal our private data and to penetrate government networks."
But former CIA CISO Robert Bigman argues that although Einstein will strengthen civilian agencies' IT security, the intrusion prevention system - which cannot decipher encrypted communications - would not have prevented the OPM breach. That's because the hacker - believed to have ties to the Chinese government - stole the credentials from a government contractor to access the OPM system, Bigman says. And with those credentials, he says, the hacker logged in using encryption. "Einstein doesn't help if it can't decrypt communications," Bigman says.
The legislation would:
- Accelerate the adoption of the Einstein program across the government by clarifying the Department of Homeland Security's legal authority to deploy it and by mandating adoption by agencies;
- Require better cybersecurity practices across government to ensure a defense-in-depth approach, including intrusion assessments, two-factor authentication and encryption for sensitive systems;
- Advance the capabilities of Einstein by requiring that it include the most advanced cyber technologies, including leading commercial tools, and that it evolve to better protect agencies as threats evolve; and
- Mandate strong privacy protections for the Einstein program and data.
Carper says ensuring that federal government agencies have access to the best technology is critical for cyberdefense. "At the same time, agencies must be constantly assessing and increasing their internal cyberdefenses to be as strong as possible," Carper says. "Einstein is a valuable tool that can help agencies detect and block cyber threats before they can cause too much harm."
But Bigman contends even with the new law, Einstein won't be effective unless the government provides the money for DHS to manage and expand the intrusion prevention program. The Johnson-Carper bill does not provide funding for Einstein; that would be handled in a separate appropriations bill.
DHS initially deployed Einstein in 2004. The first two versions of Einstein identify abnormal network traffic patterns and detect known malicious traffic. The latest version, known as Einstein 3 Accelerated, or Einstein 3A, actively blocks known malicious traffic and is being deployed through the primary Internet service providers the government uses.
Einstein 1 and 2 use only unclassified information; Einstein 3A employs classified information. Using classified indicators allows Einstein 3A to detect and block many of the most significant cybersecurity threats.
Sending a Message
Why is a law needed to dictate to civilian agencies that they must implement Einstein? The bill's sponsors and administration officials say ambiguities in existing law make it unclear whether it's legal for agencies to disclose network traffic to DHS. "Some agencies have questioned how deployment of Einstein under DHS authority relates to their existing statutory restrictions on the use and disclosure of agency data," DHS Assistant Secretary Andy Ozment says.
At a House Oversight and Government Reform Committee hearing last month, Ann Barron-DiCamillo, director of the U.S. Computer Emergency Readiness team, explained that DHS identified a signature from the OPM breach and updated Einstein 3A so it could help other federal agencies spot or block intrusions.
Getting agencies to deploy Einstein is an Obama administration priority, a point made by DHS Secretary Jeh Johnson at a House Judiciary Committee hearing earlier this month. "To be frank, our federal .gov cybersecurity, in particular, is not where it needs to be," Johnson said.
In making an argument for governmentwide use of Einstein, Johnson conceded that new technologies and process will not detect and stop every single intrusion. "That is not new," he said. "But we have increased, and will continue to increase, the instances in which attempted intrusions are either stopped at the gate, or rooted out from inside the system before they cause damage."
The Federal Cybersecurity Enhancement Act is the second piece of legislation introduced in the Senate in o expand the use of Einstein among federal agencies. On July 23, a bipartisan group of senators introduced the Federal Information Security Management Reform Act of 2015 that would bolster the Department of Homeland Security's role in ensuring the security of executive department agencies (see OPM Breaches Impact on Legislation).
Correction: An earlier version of this story misidentified the state Ron Johnson represents. It's Wisconsin, not South Dakota.