Security Experts:

DHS's Einstein Security System Has Limited Capabilities: Audit

An intrusion detection and prevention platform for which the United States government plans on spending $5.7 billion by 2018 has limited capabilities and does not fully meet its intended objectives, according to an audit conducted by the Government Accountability Office (GAO).

The incidents involving the Internal Revenue Service (IRS), the Office of Personnel Management (OPM) and the Postal Service have demonstrated that the U.S. government’s information systems and the sensitive records they store are exposed to cyberattacks.

One of the initiatives launched in an effort to help protect the government’s networks is the National Cybersecurity Protection System (NCPS), also known as the Einstein program. Created in 2003, Einstein’s objective until 2013 was to help the Department of Homeland Security (DHS) detect intrusions in the networks of federal agencies.

The latest version of the NCPS, dubbed “Einstein 3 Accelerated,” is designed to deliver a wider range of capabilities, including intrusion detection and prevention, analytics, and information sharing. The DHS had spent more than $1.2 billion on the NCPS through fiscal year 2014, and it’s estimated that the total lifecycle cost of the program will reach $5.7 billion through fiscal year 2018.

Despite the large amounts of money poured into the program so far, an audit conducted by GAO has found that Einstein only partially meets its objectives and not all federal agencies leverage its capabilities.

According to the public version of a report published in November, NCPS provides the DHS only limited capabilities when it comes to detecting potentially malicious activity on a federal agency’s network because the system only compares traffic to known patterns (signatures), but it does not detect deviations from normal behavior. Another problem in Einstein’s intrusion detection feature is that it doesn’t monitor all types of traffic and commonly exploited vulnerabilities are not covered by its signature database.

As for intrusion prevention, NCPS can block potentially malicious email, but it cannot block malicious web traffic. However, GAO’s report noted that the DHS plans on implementing this capability in 2016.

The platform’s analytics feature is powered by a variety of tools, including for aggregating data and analyzing the characteristics of malicious code. GAO said the DHS will enhance Einstein’s analytics capabilities as well through 2018.

NCPS’s information sharing capabilities are still mostly undeveloped and its requirements were only recently approved.

“In addition, while DHS has developed metrics for measuring the performance of NCPS, they do not gauge the quality, accuracy, or effectiveness of the system’s intrusion detection and prevention capabilities. As a result, DHS is unable to describe the value provided by NCPS,” GAO said in its report.

GAO also found that while the 23 agencies required to implement Einstein’s intrusion detection capabilities had routed some traffic to the system’s sensors, only five of these agencies benefited from intrusion prevention services.

In a statement issued Jan. 30, DHS Secretary Jeh Johnson defended the system, saying it has been effective, but noting that it was not intended to thwart all cyber attacks.

"The first two phases of the EINSTEIN program have been deployed across all federal civilian departments and agencies. This now allows us to detect cybersecurity threats, and EINSTEIN has in fact proven invaluable to identify significant incidents," Johnson said.

"The new and third phase of EINSTEIN, known as EINSTEIN 3A, has the ability to actively block -- not just detect -- potential cyber attacks. Unlike commercial products, EINSTEIN 3A can rely upon classified information, so the government is protected against our most sophisticated adversaries." 

"The EINSTEIN system is not a silver bullet. It does not stop all attacks, nor is it intended to do so. It is part of a broader array of defenses," Johnson said.

Johnson said EINSTEIN 3A is currently protecting 50% of the government and has blocked more than 700,000 cyber threats to date.

Related: Nuclear Agency's Cybersecurity Center Not Optimized

*Updated with statement from Jeh Johnson

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.