Following release of a government audit report the week of Jan. 25 that highlighted shortcomings in a federal cyber security system, Homeland Security Secretary Jeh Johnson on Jan. 30 said he has directed his department to develop the capabilities to defend against unknown cyber attacks.
The Government Accountability Office (GAO) report said that the National Cybersecurity Protection System (NCPS), which is operationally called EINSTEIN, is useful in detecting and preventing cyber intrusions but still has limited capabilities. One of those limitations is the inability of EINSTEIN to detect and prevent attacks where the threat signature is unknown.
Responding to the report, Johnson issued a statement saying that “The EINSTEIN system is not a silver bullet. It does not stop all attacks, nor is it intended to do so. It is part of a broader array of defenses. Further, as GAO notes correctly, the current version of EINSTEIN only blocks cyber threats we know about. But EINSTEIN also provides a platform for new technologies to protect the government. I have therefore directed our team to research and build capabilities that will allow us to detect never-before seen attacks, leveraging the best of government and private sector technology and expertise.”
Asked for some specifics about the research into detecting unknown attacks, a DHS spokesman told sister publication Defense Daily on Feb. 1 that he has no additional information “at this time.”
GAO said that the intrusion detection capabilities are the most developed of the system objectives of the NCPS, but warned that the system isn’t making use of publicly available data as well as signatures from the DHS Continuous Diagnostics and Mitigation program to allow it to detect “attacks that exploit known vulnerabilities.”
In response, DHS agreed with GAO on the need to better link threat signatures to publicly available databases and said it is updating a software tool for this purpose.
The EINSTEIN system is deployed and operated by DHS to protect the computer networks of the federal civilian government and is deployed across all federal civilian departments and agencies, although it is the responsibility of these entities to adopt the system’s capabilities.
The GAO report said that federal civilian departments and agencies must approve memorandums of agreement (MoA) to establish EINSTEIN service for an agency. So far, 16 of 23 non-defense agencies have done so, it said.
However, citing DHS officials responsible for deploying and maintaining EINSTEIN, GAO said even in cases where an agency chief information officer has signed an MoA, “network operators within the agency can be unaware of the agreement, which can pose a potential barrier to full deployment.”
Johnson pointed out that the third phase of protection system, called EINSTEIN 3A, which can actively block potential cyber attacks, is currently available to 100 percent of the government although it is only protecting 50 percent of departments and agencies.
He also said he is working with departments to “prioritize” the use of EINSTEIN 3A, noting that Congress has mandated that all federal civilian agencies avail themselves of the program by the end of 2016.
Johnson touted the results so far from EINSTEIN saying it has been “invaluable to identify significant incidents” and that “to date EINSTEIN 3A has blocked over 700,000 cyber threats.” He also noted that EINSTEIN 3A, unlike commercial products, can use classified information “so the government is protected against our most sophisticated adversaries.”