GAO: $5.7B Einstein cyber program isn’t smart enough yet

The Department of Homeland Security is charged with protecting federal networks and has spent more than $1.2 billion since 2009 to build the Einstein cybersecurity program and deploy it across the government. Despite this spending, the program is failing to prevent breaches and meet its other objectives, according to a recent review by the Government Accountability Office.

The Einstein program — a set of cybersecurity tools managed by the National Cybersecurity Protection System — is supposed to give agencies four capabilities: intrusion detection, intrusion prevention, analytics and information sharing. However, the program isn't sufficiently living up to those goals.

Report: DHS Needs to Enhance Capabilities, Improve Planning and Support Greater Adoption of NCPS

"While NCPS's ability to detect and prevent intrusions, analyze network data and share information is useful, its capabilities are limited," the report states. "For example, NCPS detects signature-based anomalies but does not employ other, more complex methodologies and cannot detect anomalies in certain types of traffic."

Not only that, the report continues, but the capabilities that are in use only block "a limited subset of network traffic" and the metrics put in place to gauge the progress of the program do not "provide insight into the value derived from the functions of the system."

While the program has accrued $1.2 billion in expenses to-date, the total lifecycle cost is expected to rise to $5.7 billion by 2018.

GAO's review looked at the top 23 agencies and the degree to which they use NCPS capabilities. IT then compared how those programs and technologies are being deployed and whether they are accomplishing the four goals of the program.

The report also analyzed whether DHS's capabilities actually match up with accepted best practices in cybersecurity.

GAO found the Einstein program was at least partially failing on each of the four target capabilities:

Intrusion Detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data – or "signatures" – but does not detect deviations from predefined baselines of normal network behavior. In addition, NCPS does not monitor several types of network traffic and its signatures do not address threats that exploit many common security vulnerabilities and thus may be less effective.

Intrusion Prevention: The capability of NCPS to prevent intrusions (e.g., blocking an email determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks email. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.

Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code. In addition, DHS has further enhancements to this capability planned through 2018.

Information Sharing: DHS has yet to develop most of the planned functionality for NCPS's information sharing capability and requirements were only recently approved. Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit — and agencies did not always provide — feedback on them

Possibly more concerning is the fact that while all 23 civilian CFO Act agencies are routing traffic through NCPS sensors according to DHS, Nation Security Deployment documents showed that only five agencies are actually using the intrusion prevention tools.

GAO made nine recommendations, all of which DHS concurred with. The department also provided auditors with detailed plans to address eight of the recommendations.

The new report released on Jan. 28 is based on a more comprehensive November 2015 review that was classified For Official Use Only.

In Other News

Impact of massive health care cyberattack on vets remains unclear

A massive cyberattack against a private health care firm in February may have exposed millions of veterans' personal medical records.

Danti search engine answers Space Force location questions with images

The tool draws from public government databases and is versed in geospatial, signals and open-source intelligence, and is already in operation.

Former election official fined for obtaining fake military ballots

A former Milwaukee election official convicted of misconduct in office and fraud for obtaining fake absentee ballots was sentenced this week.

Ask Reg: Is military or federal pension more beneficial in retirement?

Reg breaks down how to weigh your military and federal pension in retirement.

Ask Reg: Once I sign up for Medicare, does that supersede my FEHB plan?

Reg answers questions about Medicare integration with FEHB plans.

Load More