DHS: Einstein is old tech, but still works fine
SAN FRANCISCO — Just because the technology behind the Department of Homeland Security’s $6 billion Einstein governmentwide cybersecurity system is old, doesn’t mean it’s out of date, senior DHS cyber officials told FedScoop at the RSA Conference this week.
Greg Touhill, deputy assistant secretary of cybersecurity operations and programs at DHS, admitted that the system meant to detect and block malicious network traffic has not been without its teething troubles. However, with the authorities granted under last year’s Cybersecurity Act of 2015 and the efforts tied to the Cybersecurity National Action Plan, Einstein is finally beginning to fulfill its potential as a vital security tool, he said.
Touhill, a retired Air Force brigadier general, doubled down on remarks he made last November that Einstein is at least a decade behind currently technology, which leaves the .gov domain vulnerable to hackers and cyberspies.
“Einstein is essential but it’s just not enough,” Touhill said. “I’ll fully acknowledge that from what I’ve seen, we came out of the gate a little slow compared to where we are today.”
[Read more: DHS official: Einstein 3A is 15 years behind the times]
At an event just outside Washington, D.C., Thursday, DHS’ Director of Federal Network Resilience Mark Kneidinger said a series of pilot programs were being run with four Cabinet-level departments and one small agency “to do a drill down as to ‘How are you actually using Einstein, and how else could you use Einstein?’”
He said the pilots, announced several weeks ago at a federal CIO Council meeting, but not reported until Thursday, aimed to “take a look at where else, how else we can leverage Einstein in support of the agencies’ needs.”
Touhill told FedScoop that despite a scathing Government Accountability Office report issued in January, DHS’ National Protection and Programs Directorate has greatly improved Einstein’s capabilities, pointing to the recent announcement that the latest version, Einstein 3A, now sits on the digital pipelines of every DHS-approved Internet service provider. He also noted there is a contract vehicle for departments that aren’t on one of the three approved ISPs — AT&T, CenturyLink or Verizon — that allows them to route their traffic through Einstein 3A.
“The [GAO] report acknowledges the fact we’ve turned the corner,” Touhill said. “I’ve gone to departments at their request, we’re talking to the senior level [officials]. Frankly, we are getting good testimonials, with agencies saying the risk measures dropped. They are saying it’s working.”
That would indeed represent progress since the GAO’s report in January, which noted agencies often found it difficult or worthless to try and determine which threat alerts were actually real, as opposed to false positives. According to DHS Secretary Jeh Johnson’s testimony to House appropriators last week, all federal agencies and departments have access to some Einstein 3A tools, and half are now fully online.
“We are working to get all federal departments and agencies on board by the end of this year,” he concluded.
[Read more: Johnson rebuts audit criticism on $6B Einstein defense]
Kneidinger, who spoke at a cybersecurity event organized by the Independent Telecommunications Pioneer Association, said officials were pulling out all the stops to meet that deadline. “Rollout activity right now is extremely intense across government,” he said.
Phyllis Schneck, deputy undersecretary for cybersecurity and communications at DHS, told FedScoop the department is building on top of Einstein, using the best of private industry to keep up with rapidly evolving threats.
“The cyber adversary is fast, they don’t have lawyers, they have nothing to protect and they have plenty of money,” Schneck told FedScoop. “I always said, ‘It’s time to buy, not build,’ and we have been putting the best of industry into our government agencies.”
Outside of the technological developments, Touhill said he is seeing a mindset change in agency leadership from security compliance measurements to risk-based security assessments.
“I think as we’ve seen in the very noteworthy breaches in the public and private sector, senior officials have started to realize that seemingly uninteresting data that’s unclassified may in fact be really important to folks and they have to protect this,” Touhill said. “This is the people’s information, we have to protect it from those who don’t have authorization to see it. We’ve got to continue to strive forward to making it available for those who do need to see it. I’m pretty optimistic on the direction we are going on both of them.”
Schneck said the data being collected by Einstein is also useful to give situational awareness to private companies that share information under the mechanisms built out in the wake of the Cybersecurity Act of 2015.
The Automated Indicator Sharing program run by US-CERT will take threat data collected by Einstein and push it out to private companies “at machine speed,” so the public and private sector have a holistic view of the threat landscape.
Einstein “is like a vaccine system. Things like the measles are still alive and well, but we all have to be vaccinated,” Schneck said. “We’re in a world where there’s a lack of trust. There has never been a more important time to share information. We have to get it to get it right.”
Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.