An updated third version of EINSTEIN, a Department of Homeland Security (DHS) cybersecurity defense program that helped identify the cyber hacking of the Office of Personnel Management (OPM), will be implemented in 2016.

The update was originally scheduled to be completed in 2018, but the evolution of it, now called EINSTEIN 3 Accelerated (E3A), led to DHS officials pushing up the date of protecting all federal civilian agencies to next year, a DHS official said.

The push was first announced by White House Press Secretary Josh Earnest on Friday (Defense Daily, June 5). Earnest said the change in implementation was not a reaction to the OPM hack, but a decision made within recent months.

iStock Cyber Lock

“This is actually something that our–that DHS officials had recently concluded that they could do; that essentially they had this longer-term period for trying to implement this software across federal civilian agencies, and they recognized that there was a need to accelerate this implementation,”

Sen. Tom Carper (D-Del.), ranking member of the Senate Homeland Security and Governmental Affairs Committee, approved of the EINSTEIN 3A advancement. “The administration made the right decision today in expediting the installation of the Department of Homeland Security’s latest generation of the EINSTEIN cybersecurity monitoring and prevention system,” he said in a statement on Friday.

“Given that the EINSTEIN system played a key role in uncovering this recent serious cyber attack on the Office of Personnel Management, we need to make sure federal agencies have this system in place as soon as possible,” Carper added.

S.Y. Lee, a public affairs official at DHS, said, “The EINSTEIN program is part of a layered approach to cybersecurity and provides a common approach to perimeter defense across the federal government, and allows DHS to identify attacks affecting multiple agencies.”

A 2013 DHS report elaborated the background, how Pre-EINSTEIN information sharing among federal agencies to the United States Computer Emergency Readiness Team (US-CERT, a part of the DHS National Cybersecurity and Communications Integration Center) about cyber vulnerabilities and incidents occurred inconsistently. Individual agencies provide most federal internet-based services separately.

 EINSTEIN was designed to automate the process for collecting, analyzing, and sharing cyber security information across the federal government in near real-time.

Currently, EINSTEIN cannot detect or protect against new cyber threats until they have been identified and an associated signature is developed, then entered into the system, a DHS official said.

“In this case, as soon as OPM identified malicious activity on their network, DHS developed a signature and entered it into EINSTEIN.  With that information, we were able to use EINSTEIN to catch this malicious activity elsewhere in the government,” the official said.

The program has been proceeding in phases. EINSTEIN 1 detects the characteristic of internet traffic. EINSTEIN 2 detects potential cyber attacks and sends an alert when a potential attack is identified. EINSTEIN 3A moves further and uses government information to block potential cyber attacks from impacting federal networks.

Lee highlighted that the system uses classified information to protect unclassified network traffic in the federal civilian executive branch networks. This “allows DHS to better detect, respond to, and appropriately counter known or suspected cyber threats identified within the federal network traffic it monitors.”

As of June 1, DHS is providing E3A services to 13 Federal civilian department and agencies. The department has also established a Memorandum of Agreement with 52 federal agencies to implement E3A, the official noted.

“While building protection and prevention tools are critical, it is equally important that we are able to respond to and recover from incidents.  When incidents do occur, as in this case, DHS provides on-site support to find the adversary, drive them out, and restore service,” Lee said.

OPM

President Obama addressed these concerns at a press conference after the G-7 summit, in Germany (Defense Daily, June 9).

“Part of the problem is, is that we’ve got very old systems. And we discovered this new breach in OPM precisely because we’ve initiated this process of inventorying and upgrading these old systems to address existing vulnerabilities,” Obama said.

 “And this problem is not going to go away.  It is going to accelerate.  And that means that we have to be as nimble, as aggressive, and as well-resourced as those who are trying to break into these systems,” Obama said.

The Einstein program is managed by DHS by contracting with Internet Service Providers that serve the federal government.

As of April, DHS has contracts with Verizon [VZ] and CenturyLink [CTL] for the prevention portion of E3A. The providers cover about 50 percent of the traffic serving the federal civilian government (Defense Daily, April 15).