Congressional leaders on Thursday questioned the Department of Homeland Security's past and present efforts to secure the government's networks and dismissed its new plan to improve security as inadequate and behind the times.
"It's hard to believe that this administration believes it has the answers to securing our networks and critical infrastructure," said Rep. Bennie Thompson (D-Miss.) during an often contentious hearing on President Bush's so-called Cyber Initiative before the House Committee on Homeland Security Thursday morning. "I have enormous questions about this initiative. Thus far, I have been extremely disappointed in this administration's efforts in cybersecurity."
The initiative is a long-range plan to upgrade the security of the federal government's networks and comprises a number of separate proposals, most notably an overhaul and expansion of the government's intrusion detection system, known as Einstein. Currently, Einstein is simply a passive traffic-monitoring system that records basic data such as the originating IP address of a packet, its size and where the packet came from and where it is headed. But the data that the system captures is not analyzed in real time, so attacks and other anomalies aren't caught until well after the fact. And, Einstein is a voluntary program and is not in place at all of the federal agencies right now.
DHS officials have proposed expanding Einstein to the entire federal government on a mandatory basis and enabling security analysts to analyze traffic in real time to look for malicious code and attacks. The expansion would cost $115 million, department officials said.
"Einstein currently handles a very, very, very small percentage of government traffic," Robert Jamison, under secretary of the National Protection and Programs Directorate at DHS, told the committee. "We want to build it up to one hundred percent. We want to be able to detect malicious code. It will have coverage of external points and will be informed by our current knowledge of the threat. Right now, we don't have that situational awareness. Right now, our capability is passive. We're not doing it in real time."
Several committee members, including Thompson, Rep. Jane Harman (D-Calif.) and Rep. Bob Etheridge (D-N.C.), were surprised by how little information DHS and other agencies involved in cybersecurity share with each other about current threats, past attacks and other critical issues.
"I have been sitting here with my mouth open. This hearing reminds me of the FEMA trailers. The fact that you don't have threat information is shocking," Harman said. "We are not being serious about our response to threats. How is that we're going to have in real time a response to a significant threat? I just don't see it."
Jamison defended the proposed expansion, saying that the new real-time capability is a must-have for federal agencies.
"We're not looking at content now. We propose to do that," he said. "Our adversaries are very adept at hiding attacks in normal traffic/. The only true way to protect our networks is to have an intrusion detection system."
Jamison and Scott Charbo, deputy under secretary of the National Protection and Programs Directorate, also defended the broader Cyber Initiative as a necessary step and said that the Einstein expansion is only one piece of the plan. However, the committee members remained skeptical about Einstein's privacy controls and the administration's overall commitment to cybersecurity. Both Harman and Rep. Paul Broun (R-Ga.) questioned the propriety of allowing detailed inspections of all government data traffic.
"This looks almost like the fox guarding the henhouse," Broun said. "I'm not convinced that privacy is going to be protected in developing these systems."
Jamison said that a full privacy impact assessment of the new system would be completed before its deployment.
Karen Evans, administrator for electronic government and information technology at the Office of Management and Budget, cited the government-wide effort to reduce the number of connections to the Internet as a key component of the Cyber Initiative and said the effort should be complete by the summer. All government agencies had to report all of the external network connections, whether they are to contractors, other agencies or to the public Internet, and the total number came to about 4,000 external connections.
The government is projecting that it can reduce the number of Internet connections to about 50, under its Trusted Internet Connections program.