A new report about the EINSTEIN government cybersecurity system has found that while it is good at what it does,...
what it does is far too limited, compared with the needs of a modern cybersecurity system.
The report comes from the U.S. General Accountability Office (GAO) and had some startling revelations, including that the National Cybersecurity Protection System (NCPS), operationally known as EINSTEIN, is currently only able to scan email for malware and cannot monitor Web traffic. Ultimately, GAO found that EINSTEIN is only "partially meeting its stated system objectives," and offered a number of recommendations for improvement.
EINSTEIN has cost $1.2 billion to build out as of the end of fiscal year 2014, according to GAO, and will ultimately cost $5.7 billion once it is fully implemented, which is expected by 2018.
Gregory Wilshusen, director of information security issues at GAO, said the limitations of EINSTEIN are due to the way the system was built out.
"I think what happened there was that DHS [Department of Homeland Security] took the approach of trying to develop capability, which it could develop in a timely manner," Wilshusen told SearchSecurity. "It's not that they don't have plans to develop the Web content monitoring, but I think part of it had to do with what they could accomplish and then expand EINSTEIN capability sometime in the future."
Chase Cunningham, director of cyberthreat research and innovation at Armor, based in Richardson, Texas, said the government cybersecurity plan was doomed by "being behind the curve for defensive needs."
"The project was started as a knee-jerk reaction to the needs they thought cyberspace needed years ago. Due to the nature of government contracting, the project took a bit longer than it should have to get rolling, and by the time it was at full force, cyberspace and the threat vectors had already evolved," Cunningham said. "Essentially, the project tried to fix issues that were security concerns six years ago, but those aren't issues anymore."
Wilshusen noted that email is an important attack vector to secure, and EINSTEIN's signature-based monitoring of malicious activity does a "pretty good job," but it needs an upgrade to "an intrusion detection capability that's anomaly-based, as opposed to signature-based detection."
"What we're referring to is where the system identifies and develops profiles of what is normal behavior in network activity, and when there are abnormal or anomalous levels of network activity is when it sends out an alert," Wilshusen said. "And that's important for detecting threats, such as zero-day threats, that may be new and for which a signature has not yet been discovered."
When the Office of Personnel Management (OPM) breach became public in June 2015, DHS admitted to SearchSecurity that EINSTEIN could not "currently detect or protect against new threats until they are identified, and an associated signature is developed and entered into the system."
"That OPM case is probably a good point of illustration that demonstrates the power, as well as the limitations, of the National Cybersecurity Program," Wilshusen said. "OPM had EINSTEIN enabled, but it didn't detect [the malicious activity] because it was a new attack. Once DHS was able to identify that characteristic and that pattern, it then updated its database and EINSTEIN, and ran that against other traffic from other databases. And it identified that the same attack that was successful at OPM was identified and detected at another agency."
Wilshusen said this proves how powerful the government cybersecurity system can be when it has an updated signature database. And this is why another suggestion in the GAO report is for EINSTEIN "to include the ability to more clearly link signatures to publicly available, open source data repositories," and use "vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures."
Michael Angelo, chief security architect at U.K.-based Micro Focus, said even these plans could end up behind the times, because encryption is changing network security.
"The issue is that Einstein was designed for almost 13 years ago and retrofitted three years ago. The threat models have changed, as have the usage models," Angelo said. "The ability to scan network traffic for potential malware is further hindered by encryption. On the one hand, we need encryption to protect the communications and data from eavesdropping; while on the other hand, looking for signatures in an encrypted stream is not doable without having the keys."
Wilshusen also suggested that while DHS is working to expand EINSTEIN's capabilities, federal agencies need to be aware of its limitations and have services installed to "supplement the capabilities of EINSTEIN."
The next step of the EINSTEIN expansion is EINSTEIN 3A (E3A), which Wilshusen said will add intrusion prevention capabilities to EINSTEIN's current intrusion detection capabilities.
"I think [E3A] will provide additional and greater coverage of what we laid out in the report to an extent," Wilshusen said. "EINSTEIN 3A is more of an intrusion prevention system, as opposed to an intrusion detection system, so it has a counter measure that is paired with each signature or indicator of compromise. So, it not only will detect, but it's supposed to block the malicious activity from entering the networks. One of the things that we're also looking at is assuring that all network traffic is routed through these sensors. By doing that, it will provide greater coverage, as well as help EINSTEIN and the NCPS improve its effectiveness."
According to Wilshusen, the number of federal agencies covered by the system is also expected to rise quickly.
"On the intrusion prevention side of it, at the time of our review, about five out of the 23 civilian agencies had coverage from the intrusion prevention capability of EINSTEIN 3A," Wilshusen said. "I believe those five, according to DHS, may comprise about 40% to 50% of the network traffic for all federal agencies. I think the plan is to build it out to all 23 agencies in the not too distant future. It might even be sometime this year."
DHS has reportedly been accelerating the E3A rollout to comply with CSIP. In response to a request for clarification on the timeline of the rollout, the DHS pointed to Secretary Jeh Johnson's official statement response to the GAO report.
"A year ago, EINSTEIN 3A protected only about 20% of the government," Johnson wrote. "In the wake of the OPM intrusion, in July 2015, I gave our cybersecurity team within DHS an aggressive deadline for making at least some aspects of EINSTEIN 3A available to all federal civilian departments and agencies by the end of last year, and they met that deadline. At present, EINSTEIN 3A is in fact protecting 50% of the government and is now available to 100% of the government."
Stephen Gates, principal sales engineer and senior technical expert at NSFOCUS IB, said government cybersecurity endeavors tend to move slowly, but he approved of the recommendations made by GAO.
"The GAO's job is to ensure the accountability of the federal government for the benefit of the American people. Responsible oversight of our government and homeland security endeavors makes a whole lot of sense," Gates said. "After reviewing the recommendations on page 41 of the report, it's apparent they're offering sound advice that will likely change how funds are spent or allocated to meet those recommendations."
However, Cunningham said the recommendations don't go far enough "by any measure."
"The entire project should be completely revamped and the government should start looking at smaller, more innovative projects and outside companies to bring innovation to the space," Cunningham said. "They need to stop focusing on only the big teams for those types of projects and bring in those groups that are truly innovating in the space."
Learn how the OPM breach can be a teachable moment for security basics.
Learn why enterprises should use anomaly-based monitoring for zero-day detection.