Lance Bellers - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Government data breach puts EINSTEIN defense system under question

The FBI is investigating a government data breach in which up to 4 million records may have been stolen and China-based hackers are the prime suspects, but the efficacy of the DHS EINSTEIN defense system has been put under question.

The Federal Bureau of Investigation (FBI) is investigating a breach of government computers which could have led to the theft of millions of federal personnel records. FBI investigators suspect China-based hackers in the attack, but the breach leaves questions about the usefulness of the EINSTEIN defense system that the government relied on.

The breach has been described by officials as one of the largest known thefts of government data. It was detected in the Office of Personnel Management (OPM) which manages background checks, pension payments and job training across myriad federal agencies.

U.S. officials said up to 4 million records may have been stolen in the government data breach, but didn't say exactly what had been stolen, describing the data only as information that could be used to facilitate identity theft or fraud.

A Department of Homeland Security (DHS) spokesman S.Y. Lee said in a statement that its intrusion detection system, known as EINSTEIN, identified the breach, which occurred in April 2015.

"DHS's United States-Computer Emergency Readiness Team (US-CERT) used the EINSTEIN system to discover a potential compromise of federal [personally identifiable information]," said Lee. "Working with the affected agency and other interagency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and mitigate any risks identified. Based upon these response activities, DHS concluded at the beginning of May 2015 that OPM data had been compromised."

A spokesman for the Chinese Embassy in Washington dismissed the allegations, calling them "unverified" and noting that "cyberattacks conducted across countries are hard to track and, therefore, the source of attacks is difficult to identify."

EINSTEIN is an intrusion detection and prevention system that screens federal Internet traffic to identify potential cyber threats. When asked why the EINSTEIN system could not prevent the government data breach, a DHS official said EINSTEIN "cannot currently detect or protect against new threats until they are identified and an associated signature is developed and entered into the system."

A recent SearchSecurity survey found that only 52% of respondents believed that signature-based defenses were "effective against the majority of today's malware."

As this article was published, DHS had not responded to inquiries whether there are plans to expand EINSTEIN to include sandboxing in order to better prevent attacks using unknown malware.

DHS did confirm that after detecting the government data breach, US-CERT has worked to share the malware signatures found with affected agencies, interagency partners and the private sector.

Additionally, OPM will offer credit monitoring and identity theft insurance for 18 months to individuals potentially affected, and the National Treasury Employees Union, representing workers in 31 federal agencies, is encouraging members to sign up for the monitoring as well.

Jason Polancich, founder and chief architect for SurfWatch Labs and previously a U.S. government intelligence analyst, said the current release of information by the U.S. government is insufficient.

"Unfortunately, the real, most helpful details in this latest attack are not being shared outside very stove-piped lines," Polancich said. "Given the frequency and broad nature of these breaches, the government needs to open kimono from here in a more direct and official way. They need to practice what they preach with respect to information sharing. That would help discovery and response immediately for other industries; just pointing fingers at China is getting old."

Next Steps

Learn more about a White House hack possibily tied to the Russian government.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization employ big data security systems?
No, we'll do with a firewall on the modem, a firewall on the router, firewalls on all the devices, and anything dangerous we run in a VM, not directly on the machine.

The website is in a DMZ with another firewall. Our biggest risk is probably using free wifi at coffee shops. :-)
That's kind of a strange article. It didn't even say what EINSTEIN was until the 7th paragraph. That EINSTEIN is a signature-based intrusion detection, and foreign gov'ts invent NEW intrusions with DIFFERENT signatures just makes sense to me. It would be interesting to figure out what the breach actually was and how it could have been prevented, but I suspect these things are classified and it all comes down to some amount of social engineering.

It's interesting to note that the federal government only has 2.71 million employees. So the 4 million might include retirees. My guess is names, address, dates of birth, SSN, everything that would be on the primary key in a database. CRAZY!
I wonder if they use Ada or if they've made the mistake of using closed-source spyware. Yes, Microsoft spyware is aimed at non-US targets, but, once you create spyware, you create the opportunity for it to be hijacked.
Given this article was written in June (not saying that for its date).... and As events have revealed more, we now know it likely included people who applied as well as those who were hired.

We also know that audits of OPM have been conducted, but not whether the advice of them has been taken and the issue fixed.
China...? Oh my goodness, what a surprise.

We're in the midst of a data war. Or a big game of Whack-A-Mole. We build, they break; we reinforce, they come in any way.... The only things surprising here is that it wasn't a bigger breach and that we didn't lose more.

Now we get to figure out what they left behind. And how to build a bigger wall for them to climb right over.
At least they know it was fingerprint records part of an outgoing analysis
It's a vicious cycle. We build a wall. They find a weakness, break in. Ooops..We need a new wall a little bigger and deeper... They find another weakness... My question is are we doing the same to them?? Are we trying to hack their systems?? That is something we will never know..It also makes me wonder if that is all they got. Is the government telling us everything ?