Lance Bellers - Fotolia
The Federal Bureau of Investigation (FBI) is investigating a breach of government computers which could have led to the theft of millions of federal personnel records. FBI investigators suspect China-based hackers in the attack, but the breach leaves questions about the usefulness of the EINSTEIN defense system that the government relied on.
The breach has been described by officials as one of the largest known thefts of government data. It was detected in the Office of Personnel Management (OPM) which manages background checks, pension payments and job training across myriad federal agencies.
U.S. officials said up to 4 million records may have been stolen in the government data breach, but didn't say exactly what had been stolen, describing the data only as information that could be used to facilitate identity theft or fraud.
A Department of Homeland Security (DHS) spokesman S.Y. Lee said in a statement that its intrusion detection system, known as EINSTEIN, identified the breach, which occurred in April 2015.
"DHS's United States-Computer Emergency Readiness Team (US-CERT) used the EINSTEIN system to discover a potential compromise of federal [personally identifiable information]," said Lee. "Working with the affected agency and other interagency partners, US-CERT cyber incident response teams were deployed to identify the scope of the potential intrusion and mitigate any risks identified. Based upon these response activities, DHS concluded at the beginning of May 2015 that OPM data had been compromised."
A spokesman for the Chinese Embassy in Washington dismissed the allegations, calling them "unverified" and noting that "cyberattacks conducted across countries are hard to track and, therefore, the source of attacks is difficult to identify."
EINSTEIN is an intrusion detection and prevention system that screens federal Internet traffic to identify potential cyber threats. When asked why the EINSTEIN system could not prevent the government data breach, a DHS official said EINSTEIN "cannot currently detect or protect against new threats until they are identified and an associated signature is developed and entered into the system."
A recent SearchSecurity survey found that only 52% of respondents believed that signature-based defenses were "effective against the majority of today's malware."
As this article was published, DHS had not responded to inquiries whether there are plans to expand EINSTEIN to include sandboxing in order to better prevent attacks using unknown malware.
DHS did confirm that after detecting the government data breach, US-CERT has worked to share the malware signatures found with affected agencies, interagency partners and the private sector.
Additionally, OPM will offer credit monitoring and identity theft insurance for 18 months to individuals potentially affected, and the National Treasury Employees Union, representing workers in 31 federal agencies, is encouraging members to sign up for the monitoring as well.
Jason Polancich, founder and chief architect for SurfWatch Labs and previously a U.S. government intelligence analyst, said the current release of information by the U.S. government is insufficient.
"Unfortunately, the real, most helpful details in this latest attack are not being shared outside very stove-piped lines," Polancich said. "Given the frequency and broad nature of these breaches, the government needs to open kimono from here in a more direct and official way. They need to practice what they preach with respect to information sharing. That would help discovery and response immediately for other industries; just pointing fingers at China is getting old."
Learn more about a White House hack possibily tied to the Russian government.