When it comes to the government protecting all manner of state and personal information, the feds can use all the help it can get.
One of the most effective tools the government has is the National Cybersecurity Protection System (NCPS), known as “EINSTEIN.” In a nutshell EINSTEIN is a suite of technologies intended to detect and prevent malicious network traffic from entering and exiting federal civilian government networks.
+More on Network World: NASA’s cool, radical and visionary concepts+
The Government Accountability Office has been tracking EINSTEIN’s implementation since about 2010 and will later this year issue an update on the status of the system. But this week, it included some details of its report in an update on the state of federal security systems, and all is not well.
Preliminary EINSTEIN observations from the GAO:
•The Department of Homeland Security [which administers EINSTEIN] appears to have developed and deployed aspects of the intrusion detection and intrusion prevention capabilities, but potential weaknesses may limit their ability to detect and prevent computer intrusions. For example, NCPS detects signature anomalies using only one of three detection methodologies identified by NIST: signature-based, anomaly-based, and stateful protocol analysis. Further, the system has the ability to prevent intrusions, but is currently only able to proactively mitigate threats across a limited subset of network traffic (i.e., Domain Name System traffic and e-mail).
•DHS has identified a set of NCPS capabilities that are planned to be implemented in fiscal year 2016, but it does not appear to have developed formalized requirements for capabilities planned through fiscal year 2018.
•The NCPS intrusion detection capability appears to have been implemented at 23 CFO Act agencies.
Over the years there has been criticism of the EINSTEIN program, not so much for its capabilities but because its wasn’t in use universally across all government systems – an issue that was highlighted in the recent Office of Personnel Management data breach which exposed personal information on around 4 million federal government workers.
In recent congressional hearing about that break-in, Assistant Secretary for DHS' Office of Cybersecurity and Communications Andy Ozment said the version of EINSTEIN the OPM had did detect malicious traffic but didn’t do anything about it because it doesn’t have the most up-to-date version of the system. Still EINSTEIN 3 played a role in possibly preventing further damage to other systems.
“… as soon as OPM identified malicious activity on their network, they shared this information with DHS. DHS then developed a signature for the particular threat, and used EINSTEIN 2 to look back in time for other compromises across the federal civilian government. This same threat information is used by EINSTEIN 3A to block potential threats from impacting federal networks. Thus, DHS is using EINSTEIN 3A to ensure that this cyber threat could not exploit other agencies protected by the system. DHS is accelerating EINSTEIN 3A deployment across the Federal Government. While it is challenging to estimate the potential impact of a prevented event, each of these malicious DNS requests or emails that were blocked by EINSTEIN 3A may conceivably have led to a cybersecurity compromise of severe consequence,” he stated.
There are three basic versions of EINSTEIN all with varying degrees of implementation across the government:
- EINSTEIN 1/Network Flow: Provides an automated process for collecting, correlating, and analyzing agencies ‘computer network traffic information from sensors installed at their Internet connections.
- EINSTEIN 2/Intrusion Detection: Monitors federal agency Internet connections for specific predefined signatures of known malicious activity and alerts US-CERT when specific network activity matching the predetermined signatures is detected.
- EINSTEIN 3 A/Accelerated Intrusion Prevention: Automatically blocks malicious traffic from entering or leaving federal civilian executive branch agency networks. This capability is managed by Internet service providers, who administer intrusion prevention and threat-based decision-making using DHS-developed indicators of malicious cyber activity to develop signatures.
“Preliminary observations indicate that implementation of the intrusion detection and prevention capabilities may be limited and requirements for future capabilities appear to have not been fully defined. While these initiatives are intended to improve security, no single technology or tool is sufficient to protect against all cyber threats. Rather, agencies need to employ a multi-layered approach to security that includes well-trained personnel, effective and consistently applied processes, and appropriate technologies,” the GAO stated.
Check out these other hot stories: