Feds' primary network security weapon needs more bang

DHS’ Einstein security program still faces recurring feature problems

Credit: United States Government Accountability Office

In the face of relenting network attacks and it seems that the government’s chief weapon for combatting the assault lacks some teeth.

That weapon – the Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS)—also known as Einstein has is intended to provide DHS with capabilities to detect malicious traffic traversing federal agencies’ computer networks, prevent intrusions, and support data analytics and information sharing. A tall tale no doubt but one that is imperative to protecting the gargantuan amount of government intelligence and personally identifiable information the feds watch over.

+More on Network World: 26 of the craziest and scariest things the TSA has found on travelers+

The threat is obvious -- the Government Accountability Office recently noted that the number of information security incidents affecting systems supporting the federal government grew 1,121% since 2006 -- 5,503 incidents in 2006 to 67,168 in fiscal year 2014. Similarly, the number of information security incidents involving PII reported by federal agencies has more than doubled in recent years, from 10,481 in 2009 to 27,624 in 2014. This week the GAO said in a review of the current status of NCPS that the system needs some work on its four chief areas of coverage. From the GAO report:

Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or “signatures,” but does not detect deviations from predefined baselines of normal network behavior. In addition, NCPS does not monitor several types of network traffic and its “signatures” do not address threats that exploit many common security vulnerabilities and thus may be less effective.

Intrusion prevention: The capability of NCPS to prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks e-mail. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.

Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code. In addition, DHS has further enhancements to this capability planned through 2018.

Information sharing: DHS has yet to develop most of the planned functionality for NCPS's information-sharing capability, and requirements were only recently approved. Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit—and agencies did not always provide—feedback on them.

The GAO went on to say that “while DHS has developed metrics for measuring the performance of NCPS, they do not gauge the quality, accuracy, or effectiveness of the system's intrusion detection and prevention capabilities. As a result, DHS is unable to describe the value provided by NCPS.”

+More on Network World: 20 years ago: Hot sci/tech images from 1995+

security incidents GAO analysis of United States Computer Emergency Readiness Team

Another problem is NCPS adoption. As GAO reports in the past have lamented, not all of the agencies required to implement the systems have done so (despite a White House directive last July to speed up adoption): “The 23 agencies required to implement the intrusion detection capabilities had routed some traffic to NCPS intrusion detection sensors. However, only 5 of the 23 agencies were receiving intrusion prevention services, but DHS was working to overcome policy and implementation challenges. Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system,” the GAO stated.

In response to the GAO report the DHS acknowledged work needs to be done and that it was looking to bake in security features in the next round of network service contracts through the government’s Networx program.

Check out these other hot stories:

US lab develops gigantic turbine blades to capture vast wind energy

Say hello to The Matrix: DARPA looks to link brains and computers

CIA: 10 Tips When Investigating a Flying Saucer

TSA: Gun discoveries up 20% between 2015 and 2014

The Big Hang-up: IRS customer call center service stinks

High-tech plays big role in transportation safety wish list

Will your car become a mini-data center? IBM thinks that’s just the beginning

Should the US change metal coins?

Intelligence agency wants computer scientists to develop brain-like computers

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies