Security Experts:

Connect with us

Hi, what are you looking for?



DHS’s Einstein Security System Has Limited Capabilities: Audit

An intrusion detection and prevention platform for which the United States government plans on spending $5.7 billion by 2018 has limited capabilities and does not fully meet its intended objectives, according to an audit conducted by the Government Accountability Office (GAO).

An intrusion detection and prevention platform for which the United States government plans on spending $5.7 billion by 2018 has limited capabilities and does not fully meet its intended objectives, according to an audit conducted by the Government Accountability Office (GAO).

The incidents involving the Internal Revenue Service (IRS), the Office of Personnel Management (OPM) and the Postal Service have demonstrated that the U.S. government’s information systems and the sensitive records they store are exposed to cyberattacks.

One of the initiatives launched in an effort to help protect the government’s networks is the National Cybersecurity Protection System (NCPS), also known as the Einstein program. Created in 2003, Einstein’s objective until 2013 was to help the Department of Homeland Security (DHS) detect intrusions in the networks of federal agencies.

The latest version of the NCPS, dubbed “Einstein 3 Accelerated,” is designed to deliver a wider range of capabilities, including intrusion detection and prevention, analytics, and information sharing. The DHS had spent more than $1.2 billion on the NCPS through fiscal year 2014, and it’s estimated that the total lifecycle cost of the program will reach $5.7 billion through fiscal year 2018.

Despite the large amounts of money poured into the program so far, an audit conducted by GAO has found that Einstein only partially meets its objectives and not all federal agencies leverage its capabilities.

According to the public version of a report published in November, NCPS provides the DHS only limited capabilities when it comes to detecting potentially malicious activity on a federal agency’s network because the system only compares traffic to known patterns (signatures), but it does not detect deviations from normal behavior. Another problem in Einstein’s intrusion detection feature is that it doesn’t monitor all types of traffic and commonly exploited vulnerabilities are not covered by its signature database.

As for intrusion prevention, NCPS can block potentially malicious email, but it cannot block malicious web traffic. However, GAO’s report noted that the DHS plans on implementing this capability in 2016.

The platform’s analytics feature is powered by a variety of tools, including for aggregating data and analyzing the characteristics of malicious code. GAO said the DHS will enhance Einstein’s analytics capabilities as well through 2018.

NCPS’s information sharing capabilities are still mostly undeveloped and its requirements were only recently approved.

“In addition, while DHS has developed metrics for measuring the performance of NCPS, they do not gauge the quality, accuracy, or effectiveness of the system’s intrusion detection and prevention capabilities. As a result, DHS is unable to describe the value provided by NCPS,” GAO said in its report.

GAO also found that while the 23 agencies required to implement Einstein’s intrusion detection capabilities had routed some traffic to the system’s sensors, only five of these agencies benefited from intrusion prevention services.

In a statement issued Jan. 30, DHS Secretary Jeh Johnson defended the system, saying it has been effective, but noting that it was not intended to thwart all cyber attacks.

“The first two phases of the EINSTEIN program have been deployed across all federal civilian departments and agencies. This now allows us to detect cybersecurity threats, and EINSTEIN has in fact proven invaluable to identify significant incidents,” Johnson said.

“The new and third phase of EINSTEIN, known as EINSTEIN 3A, has the ability to actively block — not just detect — potential cyber attacks. Unlike commercial products, EINSTEIN 3A can rely upon classified information, so the government is protected against our most sophisticated adversaries.” 

“The EINSTEIN system is not a silver bullet. It does not stop all attacks, nor is it intended to do so. It is part of a broader array of defenses,” Johnson said.

Johnson said EINSTEIN 3A is currently protecting 50% of the government and has blocked more than 700,000 cyber threats to date.

Related: Nuclear Agency’s Cybersecurity Center Not Optimized

*Updated with statement from Jeh Johnson

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.