DHS chief: Government cybersecurity lacking

DHS chief: Government cybersecurity lacking
© Greg Nash

The government is failing to protect its websites and networks, Department of Homeland Security Secretary Jeh Johnson conceded to lawmakers Tuesday.

“To be frank,” he said, federal cybersecurity “is not where it needs to be.”


Johnson’s testimony before the House Judiciary Committee comes less than a week after the Office of Personnel Management (OPM) acknowledged that multiple breaches at the agency had exposed over 22 million people’s sensitive data.

The incident has shed light on glaring security flaws in government networks and the administration’s slow response to shore up its cyber defenses.

“There is a great deal that has been done and is being done now to secure our networks,” Johnson said, according to prepared testimony. “There is more to do.”

The DHS “Einstein” program, the government’s main defense against cyberattackers, has drawn great scrutiny in the wake of the breach.

The Einstein system is intended to monitor the government’s networks and repel malicious actors, like those that cracked the OPM system.

But it is being knocked as outdated before it is even fully implemented.

While certain components of Einstein are in place, Einstein 3 Accelerated — or E3A — which both identifies and blocks known nefarious digital actors, only protects about 45 percent of the federal civilian government, Johnson said.  

The agency head committed to making the program fully available by the end of 2015.

But even Einstein advocates admit the program is not sufficient. It lacks an ability to suss out hackers the government hasn’t previously encountered. That’s how the OPM hackers were not only able to sneak in, but roam around the network undetected for a full year.

E3A is a building block, Johnson insisted.

The program, he said, “is also a platform for future technologies and capabilities to do more. This includes technology that will automatically identify suspicious Internet traffic for further inspection, even if, as was the case with the OPM breach, we did not already know about the particular cybersecurity threat.”

Johnson also argued the DHS will offset these shortcomings with a “Continuous Diagnostics and Mitigation,” or CDM, program. CDM searches for digital intruders after they have already broken into the network.

The first phase of CDM is in use at eight federal agencies, covering about 50 percent of the government, Johnson said. By the fall, 97 percent of the government will be covered, he added.

But the DHS chief said he needed Congress’s help to go beyond that first phase.

“I have already requested authorization from Congress to reprogram additional funding to speed up CDM Phase 2,” he said.