By Calvin Biesecker
Deployment of a new system at five select government agencies that will detect cyber intrusions on federal information technology networks is complete and at some point this month is expected to achieve initial operating capability (IOC), a Department of Homeland Security (DHS) official said on Tuesday.
The Einstein 2.0 system has already achieved IOC at DHS and will do the same at the other agencies once ongoing legal reviews are completed, Peter Fonash, acting director of the National Cybersecurity Division within DHS’ National Protection and Preparedness Directorate, told a House Science Committee panel. In addition to DHS, Einstein 2.0 is deployed at the Departments of Agriculture, Justice and State and at NASA. Installation at other locations is ongoing, he said.
Einstein 2.0 represents the second block of the Einstein intrusion detection system. The initial block of the systems doesn’t have real-time alerting capabilities, whereas Einstein 2.0 does. DHS is currently developing incremental improvements to the 2.0 system (Defense Daily, Jan. 7).
The Einstein 2.0 system is being deployed at federal department and agency Trusted Internet Connections (TIC), which are the external access points where adversaries can attempt to exploit gaps in the government’s information networks. In addition to rolling out Einstein 2.0, the government is actively reducing the number of TICs.
Einstein 2.0 is used by the DHS United States Computer Emergency Readiness Team, called US-CERT, which coordinates and shares cyber incident information with the various stakeholders.
Fonash also said that discussions are underway to deploy Einstein 2.0 at trusted Internet Protocol service locations, which represents the third phase of the program’s deployment. The fourth phase will be to deploy the system at remaining single service TIC Access Provider departments or agencies. He said that deployments will begin as these agencies “become more technically stable in their TIC implementations.”
Also testifying on Tuesday was Robert Leheny, acting director of the Pentagon’s Defense Advanced Research Projects Agency (DARPA). DARPA is developing a National Cyber Range (NCR) that will provide a testbed to “simulate and measure technologies and their performance in a realistic environment, allowing cyber security technology testing under real- world conditions and across a variety of network types,” Leheny said in his prepared remarks. “DARPA believes the NCR will accelerate the development of leap-ahead cyber security technology for the larger research community,” he said later.
Last year, the agency awarded eight-month contracts to seven teams for engineering plans for the NCR. Contract recipients are SPARTA, Inc., The Johns Hopkins Univ. Applied Physics Laboratory, Lockheed Martin [LMT], Britain’s BAE Systems, SAIC [SAI], General Dynamics [GD], and Northrop Grumman [NOC]. Under Phase I, the government hopes to be able to determine that the contractor’s approach is feasible and that the contractor has a credible and affordable approach to reduce system risk within the planned schedule.
The competing designs for the NCR are expected to be delivered later this summer for evaluation to continue into a second phase, Leheny told the House panel. The goal in Phase II is production of a limited number of “prototype ranges,” he said. In the final phase of the program the most capable prototype will be developed into the “operational range to be completed in 2012,” he said. At that point, the completed range would be transferred to another organization for operation, he added.
“I believe, for example, that NCR could have a panel that reviews and prioritizes proposals submitted by potential users for time on the range,” Leheny said. “One of their guiding principles would be to ensure that the portfolio of research fulfills the mission of the range.”
The plan for the NCR is to allow both classified and unclassified testing take place.
Leheny mentioned two primary challenges to achieve the NCR’s goals. One is how to simulate large, heterogeneous networks realistically and “what instruments can be created to monitor performance during experiments to provide the greatest meaningful understanding of the results,” he said.