The massive data breach at the Office of Personnel Management made public on June 4 exposed
U.S. officials quickly identified China as a possible source of the attack, a charge that China quickly criticized.
The cyber attack on OPM – or more specifically, on Interior Department data centers that house OPM data –occurred despite government-wide cybersecurity efforts led by the Homeland Security Department that include continuous diagnostic monitoring and the $3 billion Einstein network monitoring program.
For its part, DHS leadership said they helped OPM "develop and implement a comprehensive network monitoring plan" that led to OPM identifying the breach in April. That plan included Einstein, according to a DHS statement.
"Using these newly identified cyber indicators, DHS's United States-Computer Emergency Readiness Team (US-CERT) used the Einstein system to discover a potential compromise of federal [personal identifiable information]. Working with the affected agency and other interagency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and
According to a DHS official speaking on background, US-CERT reviewed the malware and shared the analysis with the affected agencies and interagency partners, and deployed the signatures to Einstein to protect federal networks. DHS then shared the data with all federal CIOs, and US-CERT also worked with the FBI to disseminate an information bulletin about the malware to the private sector and other cybersecurity stakeholders.
"In this incident, Einstein was used to identify the presence of a cybersecurity incident affecting OPM's IT systems and data at the Department of the Interior's data center, which is a shared service center and a means for federal agencies to collaborate and achieve efficiencies," the official said.
But there are a few different iterations of the Einstein, each more comprehensive than the other, and it's unclear what agencies do or do not have Einstein in place on their networks – especially the latest version, Einstein 3 (Accelerated) or E3A. All three versions of Einstein are designed to detect and repel malicious traffic on federal
Einstein 3 is scheduled to be deployed across federal networks next year, an acceleration on the original 2018 schedule, Josh Earnest, White House press secretary, said in a June 5 press conference.
But Einstein's application is uneven across the government for a variety of reasons.
The Department of Interior contracts at least some of its telecommunications services through the Networx contract, provided by Century Link,
"It's not clear if they ever did sign. [DHS] was trying to find a way to bring AT&T onboard, but if they didn't, only CenturyLink and Verizon traffic would have been filtered through the additional signature checks protected by Einstein," said Chris Cummiskey, former DHS acting undersecretary for management.
AT&T provides at least some of Interior's telecom services, according to public records, but it is unclear if those services cover the agency's data centers. AT&T did not respond to requests for comment.
Where Einstein is implemented isn't the only question the OPM breach raises.
"Einstein should have ... detected this, but it also should have protected the exfiltration from happening. Why did it detect the intrusion but not protect against infiltration?" said Mark Weatherford, former DHS deputy under secretary for cybersecurity and now Chertoff Group principal. "The whole secret sauce of Einstein is taking government intelligence and information and applying it in addition to commercially available intelligence and information.
It's a question that is likely to echo in the coming weeks as the fallout from the OPM breach continues. Backers of Einstein insist it's critical to federal cybersecurity – and that it works – but the program is likely to face serious scrutiny.
"The government has spent hundreds of millions on this; there are committees on the Hill that are invested in and committed to this. So it's a legitimate question to ask if Einstein couldn't prevent this breach, is it worth the hundreds of millions we're putting into it? What is the problem?" Weatherford said.