The IRS has said no to Einstein! That alone makes a statement. It was reported last week by the Department of Homeland Security (DHS) to congressional staffers that the Internal Revenue Service (IRS) was either unable or unwilling to implement the Einstein cyber security program.
The original EINSTEIN Program was the federal government's mandate in early 2002 and 2003 by both congressional and presidential orders to direct the federal agencies to work together and coordinate on intrusion detection. Federal government agencies were directed to follow the Department of Defense's (DOD) lead by installing intrusion detection systems and centralizing the reporting of unauthorized traffic. This would allow all federal government agencies to coordinate on a cyber event with DHS.
Back in the early '90s, first the US Air Force and later the DOD implemented systemic intrusion detection, which included centralized reporting. This was so effective even in the early days that just ten years later it was mandated that the rest of the federal government follow suit. Unfortunately, that's 30-70 "Internet Years" (as you may calculate dog years) depending on who you ask. This should tell you something about the leaders in the civilian government agencies.
When I first became a cybercrime investigator in 1986, I was a member and attended meetings of a group called the "Federal Computer Investigations Committee.” It was a fairly small, informal group from all over the country, which included 30-40 investigators and prosecutors from many of the federal agencies and even some state and local law enforcement. We met three or four times per year to share tools, techniques, and threats. The IRS had a tremendous presence back then. In fact, agents from the IRS, Andy Fried and Danny Mares, actually developed the digital forensics tools that everyone in law enforcement used. IRS, NASA, and DOD were the leaders of this committee because we were the favorite targets of hackers from all over the world back then. Obviously, all of those great IRS folks have retired.
It was and still is imperative that all successful and attempted intrusions detected are coordinated with other agencies and organizations to help prevent, minimize, mitigate, and respond to the damage. That is the critical premise that created the CERTs (Computer Emergency Response Teams). The first one was the Carnegie Mellon CERT created in 1988 as a result of the Morris Internet Worm case. I attended the meeting with Cliff Stoll on Election Day in 1988 at the NSA's National Computer Security Center that created the first CERT.
Einstein is certainly not a panacea, but it is a positive effort by DHS to attempt to herd all of the cats of federal government. I'm not saying that Einstein is necessarily the right tool, but you can't let everyone do their own thing. Anarchy is what the adversaries count on and desire. Responders need a common operating picture and a coordinated response.
Do you know how many unclassified networks the federal government has? Yes, only one. The Internet! We are all connected to the same network and the weakest links threaten everyone. The federal government shares the Internet with the private sector and the rest of the world. Again– we are all connected to the same network.
So, do you think the IRS is a potential target? The IRS is the most hated federal government agency. The IRS has the most sensitive privacy information of every US citizen and US company. US citizens today have direct online access to the IRS and can submit their sensitive information directly. The IRS also handles huge amounts of money. They reported in 2015 over 163,000 tax returns claiming over $900 million in fraudulent refunds, which is probably a very conservative number. Is the IRS a potential target?
I believe, for everyone's privacy and for national security, that the IRS and DOD must have the absolute best cyber security, and they should coordinate with everyone else– not opt out and do their own thing.
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.
Jim can be reached by email at firstname.lastname@example.org.
Connect with Jim on Twitter: @jimchristyusdfc