DHS accelerating intrusion detection system deployments

Secretary of Homeland Security Jeh Johnson (DHS)

Secretary of Homeland Security Jeh Johnson said Wednesday that he has ordered the deployment of the latest, most advanced version of the Einstein intrusion detection system — known as Einstein 3 Accelerated, or E3A — to all federal civilian agencies by the end of 2015.

The move is part of the so-called cybersecurity sprint ordered by the White House in the aftermath of the massive data breach at the Office of Personnel Management. Johnson, who spoke Wednesday at the Center for Strategic and International Studies in Washington, D.C., said DHS and the intelligence community “have strong evidence about the identity of the actors behind the breach,” but are not yet ready to make that information public. Many experts have speculated that China was behind the attack, which compromised the security clearance background investigations on millions of federal employees and general personnel data belonging to potentially millions more.

“On a reprioritized basis, we are deploying teams to assess the highest value systems across the federal civilian government, and hunt for and remove adversaries identified in the system,” Johnson said.

That hunt is being powered by the Einstein system, a multilayered intrusions detection system that can alert security officials to known threats or suspicious activity on the network. But the latest version of Einstein has unearthed even more disturbing evidence of governmentwide compromises.

“Since its introduction, E3A has blocked more than 550,000 requests to access potentially malicious websites,” Johnson said. “These attempts are often associated with adversaries who are already on federal networks attempting to communicate with their ‘home base’ and steal data from agency networks.”

A DHS spokesman confirmed to FedScoop that Johnson’s figures are accurate.

Richard Marshall, the former director of global cybersecurity management at DHS, said while Johnson’s revelation is astounding in its size and scope, it is true. And while significant improvements have been made to the Einstein program’s capabilities, those improvements came too late, he said. “My frustration is that where we are now with Einstein 3 we should have been three years ago,” Marshall said.

Marshall is currently a member of the board of Secure Cloud Systems, which specializes in micro-encryption down to the byte level.

Einstein 1 observes and records basic information about all activity entering and exiting an agency network. “It is like a recording camera sitting on the perimeter fence that can be reviewed to determine when or if a certain individual enters or exits the compound,” Johnson said. “Einstein 2 detects known, prohibited adversaries that have entered or exited the fence, and alerts us to them.”

But E3A is deployed at the Internet service providers that serve the federal government and uses classified threat data to both identify and block malicious software and activity. First deployed in 2013, E3A currently only protects 45 percent of the federal government, prompting Johnson to challenge his department to make it available governmentwide by the end of the year.

According to Marshall, the attempts to connect to external malicious websites Johnson mentioned could be symptomatic of a botnet — a network of compromised computers that are controlled remotely by hackers — inside federal agencies. To put Johnson’s comments in perspective, “it could be one piece of malicious code by one bad guy trying to communicate thousands of times a day,” Marshall said.

“The latest version of Einstein is very, very powerful,” he said. “If OPM had it, it would not have stopped the Chinese from getting in. But it might have prevented them from getting in if it had been installed three years ago. The Chinese had been in the OPM system for over two years. We just found out about it.”

Johnson also said he recently enhanced the role of the National Cybersecurity and Communications Integration Center, or NCCIC, within DHS. “I have elevated it within our structure so that its leaders have a reporting relationship directly to me,” he said.

The NCCIC is DHS’ 24-hour cybersecurity threat information sharing hub. It shares information on cyber threats and incidents, and provides on-site assistance to victims of cyber attacks. “In this fiscal year alone, the NCCIC has shared over 6,000 bulletins, alerts, and warnings, and responded on-site to 32 incidents — over double the number of on-site responses for the entire prior year,” Johnson said.

Johnson also said he’s ordered increased deployment of the department’s Continuous Diagnostics and Mitigation, or CDM, program, which will monitor agency networks internally for vulnerabilities. CDM is divided into three phases, Johnson said. “The first phase, which is being deployed now, checks to ensure that all computers and software on agency networks are secure. The second phase will monitor users on agencies’ networks and ensure they are not engaging in unauthorized activity. The third phase will assess activity happening inside agencies’ networks to identify anomalies and alert security personnel,” he said.

“To date we have made the first phase of CDM available to eight agencies, covering over 50 percent of the federal civilian government,” Johnson said. “I have directed, and we expect, that DHS make the first phase of CDM tools available to 97 percent of the federal civilian government by the end of this fiscal year. I am also requesting authorization from Congress to provide additional funding to speed up CDM Phase 2.”