The cyber security system maintained and operated by the Department of Homeland Security (DHS) for protecting federal computer networks is limited in meeting its objectives, a government auditing agency says.

The audit report says that although the cyber security system’s “ability to detect and prevent intrusions, analyze network data, and share information is useful, its capabilities are limited.”

The National Cybersecurity Protection System (NCPS), which is better known as EINSTEIN, was developed and deployed to provide intrusion detection, intrusion prevention, analytics, and information sharing for federal civilian agency networks. The system is operated by the United States Computer Emergency Readiness Team (US-CERT) and is developed, deployed and sustained by the National Security Deployment division, two groups within the DHS Office of Cyber Security and Communications.

In its report released on Jan. 28 highlighting some of the capabilities and shortcomings of NCPS, the Government Accountability Office (GAO) says the system “detects signature-based anomalies, but does not employ other, more complex methodologies and cannot detect anomalies in certain types of traffic. Further, the intrusion prevention capabilities can currently mitigate threats to a limited subset of network traffic.”

Some analytics capabilities have been deployed and more complex tools are planned to be developed, says the report, Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System (GAO-16-294). But it says that the information sharing capabilities of NCPS have only recently been “approved and funded for development” and that currently these “efforts are manually and largely ad hoc.”  

Citing recommendations of the National Institute of Standards and Technology, GAO says intrusion detection methodologies should be a combination of signature-based, anomaly-based, and stateful purpose analysis. Based on DHS documents and NSD officials, GAO says the intrusion detection capabilities of NCPS were only supposed to be signature-based.

“By employing only signature-based intrusion detection, NCPS is unable to detect intrusions for which it does not have a valid or active signature deployed,” GAO says. The reports says that US-CERT and NSD officials told the GAO that ultimately federal agencies are responsible for protecting their own network and that DHS provides a baseline set of security and broader government-wide situational awareness as part of a layered defense.

GAO also says that NCPS can’t detect cyber attacks across all types of network traffic “such as traffic related to browsers, e-mail, and file transfer, as well as traffic related to supervisory control and data acquisition (SCADA) systems.” US-CERT and NSD officials told GAO that agencies have not been clear with them on the types of network traffic within their organizations and that the agencies are responsible for routing traffic to NCPS sensors.

Regarding the limited capabilities of NCPS intrusion prevention, which gives DHS the ability to “proactively” manage threats before they can potentially harm networks, the system doesn’t work in some network traffic such as web content, “which are common vectors of attack not currently being analyzed for potentially malicious content,” the report says. It notes that the kinds of network traffic the system currently is applied to include Domain Name Service and blocking and email filtering.

DHS officials told GAO that the department is developing intrusion prevention capabilities for other types of network traffic and that by Jan. 1, 2016 they expected to filter web content.

GAO says that DHS has identified future needs for NCPS, but so far has made little progress in developing requirements. Without clear requirement, DHS “risks investing in functionality that does not effectively support agency information security,” the report says.

The report also says that adoption of NCPS across the required 23 federal agencies has been mixed. While all of these agencies are routing traffic through NCPS sensors, so far only five receive intrusion prevention services and only one has “fully adopted” this capability for its email traffic.

GAO also says that of five agencies it selected, four are only routing some of their network traffic through the intrusion detection sensors.