Feb 12 2016

DHS Defends Einstein Cyberdefense System

After a GAO report criticized the DHS’ cyberefforts, the Obama administration is pumping more money and effort into cybersecurity.

The Department of Homeland Security (DHS) is continuing to defend its efforts to enhance the federal government’s cybersecurity systems, following a report from the Government Accountability Office (GAO ) that criticized one of the main defensive cybersecurity tools used by the DHS.

This week, the Obama administration placed a heavy emphasis on cybersecurity, making a new national plan a key element of the fiscal 2017 budget proposal. The budget requests $19 billion in cybersecurity funding for fiscal 2017, which would represent a 35 percent increase from last fiscal year’s $14 billion.

However, the DHS has been at the center of the debate over whether the federal government is doing enough to beef up its cybersecurity efforts and get other agencies to use a critical protection system known as Einstein.

DHS Defends Efforts

The GAO issued a report in late January that said the DHS’ National Cybersecurity Protection System (NCPS), the formal name for Einstein, is meeting only part of its objectives. The report notes that the system “provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or ‘signatures,’” but does not target new or unknown patterns of potential attacks.

Additionally, the report said the Einstein system’s ability to “prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks e-mail. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.”

Further, as FierceGovernmentIT notes, the report found that although the 23 agencies required to put Einstein’s intrusion-detection capabilities into place had taken advantage of the system, just five had received intrusion-prevention protection.

Shortly after the report was released, DHS Secretary Jeh Johnson issued a statement defending Einstein, noting that it “has the ability to actively block — not just detect — potential cyber attacks. Unlike commercial products, EINSTEIN 3A can rely upon classified information, so the government is protected against our most sophisticated adversaries.”

Johnson also said that a year ago Einstein only protected 20 percent of government systems, but after the hacks that hit the Office of Personnel Management (OPM), Einstein’s use was expanded, and it now covers 50 percent of the government and is available to 100 percent. Johnson noted that “Congress has also mandated that all federal civilian agencies participate in the program by the end of 2016.”

Additionally, Johnson said that the Einstein system “is not a silver bullet. It does not stop all attacks, nor is it intended to do so. It is part of a broader array of defenses.” Johnson also said DHS is going to “research and build capabilities that will allow us to detect never-before seen attacks, leveraging the best of government and private sector technology and expertise.”

On Thursday, the DHS continued the defense of its efforts. Phyllis Schneck, the DHS’ chief cybersecurity official, said that Einstein is part of a larger effort.

“Einstein didn’t block it, we hadn’t seen it before — that is part of the program,” Schneck said, regarding the OPM attacks, according to Inside Sources. “That’s like a vaccine. Everybody’s got a Measles vaccine — we don’t stop getting a Measles vaccine because there are other diseases, because the measles is still out there.”

Schneck also praised the recent budget proposal, which she said will “enable us to go faster, go bigger,” according to The Hill.

Focus on Continuous Diagnostics and Mitigation

The DHS says that the 2017 budget provides $471.1 million for the NCPS, which will “maintain currently deployed Einstein capabilities, and invest in new capabilities for analytics, information sharing, and intrusion prevention.” The budget also includes $274.8 million for the “Continuous Diagnostics and Mitigation program which provides hardware, software, and services designed to support activities that strengthen the operational security of federal ‘.gov’ networks.”

Ken Durbin, unified security practice manager for Symantec’s public sector division, told FedTech that he agrees with Johnson that Einstein is not a silver bullet.

“It could be better; it could do more,” he says. “We always talk about ‘defense in depth.’ Well, Einstein is a layer of defense in depth.”

Continuous Diagnostics and Mitigation, or CDM, identifies cybersecurity risks on an ongoing basis, then prioritizes the risks based upon how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first, according to DHS.

Durbin called CDM “a collection of a rich amount of telemetry that could be used to inform Einstein about threats, and then Einstein in turn would protect agencies based on that information. It could be a symbiotic relationship.”

However, Durbin said it is “not clear that DHS is going to incorporate telemetry from CDM.”

The GAO report said that using data from the CDM program “could add value by minimizing the risk that known vulnerabilities will be exploited.” Yet it also said that it is “unclear” how the DHS will use CDM “log data” to aid in cybersecurity defenses.

Win McNamee/ThinkStock

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.