DHS coming up short on Einstein deployment
Connecting state and local government leaders
Deployment of the governmentwide intrusion detection system was scheduled to be completed last year, but there still are a "bunch of agencies not covered."
Deploying the governmentwide intrusion detection system known as Einstein is taking longer than expected, and development of the next stage of the system, scheduled for completion in 2015, is costing more than expected.
Einstein, which is being deployed to Trusted Internet Connection access providers for agencies in the .gov domain, now serves 17 of 18 major agencies, said Brendan Goode, director of Network Security Deployment in the Homeland Security Department's National Cyber Security Division. But there are more than 100 departments and independent agencies in the domain.
"That still leaves a bunch of agencies not covered," Goode said.
The delay in fully implementing the system has earned that phase of the project red status on the government's IT dashboard. The next major phase, implementing intrusion prevention in the system, still is on track to be finished by the end of calendar 2015 but the cost currently is about $41 million over the estimated $237 million, an overrun that gives it a yellow status.
|
Metrics for operational performance of the current iteration of the Einstein governmentwide intrusion detection system |
FY2013 target | Actual | |
|---|---|---|---|
|
Percent of executive branch civilian agency networks monitored for cyber intrusions |
70% |
57% | |
|
Percent of high priority alert-level events detected and validated |
94% |
89% | |
|
Average minutes from threat identification to ticket generation |
60 |
15.4 | |
|
Percent of identified high vulnerabilities where mitigation strategies were provided |
94% |
100% | |
|
Average system availability |
99.5% |
0 |
Source: Government IT Dashboard
Overall, however, the complex 13-year program has a green status. Recently resigned DHS CIO Richard Spires had said Einstein has been "delivering needed capabilities" to agencies and assessed the program as a moderately low-risk investment. If it performs as intended, it would provide a powerful tool for automating the security of government networks.
Goode outlined the goals and status of Einstein, the operational keystone of the National Cybersecurity & Protection System (NCPS), in a briefing to the American Bar Association's standing committee on law and national security. Goode, an electrical engineer by training, said his job as head of network security is to deliver the technical capability to enable NCPS.
The current iteration of Einstein is a signature-based system that identifies intrusions. The next step, expected to be completed in September, is to develop information-sharing capabilities for it, enabling automated machine-to-machine exchanges to deliver alerts as an incident is under way so that response and remediation can begin immediately.
The next major iteration will be Einstein 3 Advanced, which is intended to not only detect but also block intrusions are they occur. Work on this phase began in 2008. A pilot of the IPS capabilities has been conducted in the Energy Department, Goode said.
Another major effort of Goode's office is Enhanced Cybersecurity Services (ECS), an expansion of the Defense Department's Defense Industrial Base pilot, in which classified cybersecurity intelligence is shared with cleared non-government personnel working with defense contractors. Under ECS, Homeland Security would share unclassified and classified cybersecurity information with companies that provide Internet, network and other communication services.
"ECS is intended to support U.S. critical infrastructure," DHS said in a privacy impact assessment of the program. "However, pending deployment of Einstein intrusion prevention capabilities, ECS may also be used to provide equivalent protection to participating federal civilian executive branch agencies."
Goode said that ECS is starting off slowly but that there is a "robust engagement" with a number of companies.