DHS’s $5.7 Billion EINSTEIN Ain’t So Smart

Published: February 03, 2016


What does billions in intrusion detection spending get you at the Department of Homeland Security? Apparently not as much as expected, according to government auditors.

The National Cybersecurity Protection System (NCPS), or more commonly known as EINSTEIN, is intended to provide DHS with the capabilities to detect malicious traffic traveling across federal computer networks, prevent intrusions, and support data analytics and information sharing. DHS has spent more than $1.2 billion on the system through fiscal year (FY) 2014 and the projected total cost of the program through FY 2018 is approximately $5.7 billion. But a recent report by the Government Accountability Office was critical of NCPS performance in meeting its stated objectives.

Select GAO Findings

GAO set out to determine how well the system was meeting its stated objectives, how well DHS has designed requirements for future stages of the system, and the extent to which federal agencies have adopted the system. GAO also focused their assessment of NCPS intrusion prevention services on the departments of Energy and Veterans Affairs, as well as the General Services Administration, the National Science Foundation and the Nuclear Regulatory Commission. While not all bad, GAO identified many key challenges:

  • While all 23 of the non-defense agencies had routed network traffic to NCPS intrusion detection sensors, only 5 of the 23 agencies were receiving intrusion prevention services. Further, GAO found that for 3 of these 5 agencies, adoption of intrusion prevention services for e-mail was limited, with only 1 agency appearing to have fully adopted intrusion prevention for e-mail service.
  • EINSTEIN relies cyber-attack patterns, referred to as signatures, to identify suspicious network traffic. But GAO noted that due its signature-based approach EINSTEIN it does not a huge percentage of commonly known vulnerabilities nor check web traffic for malicious content. EINSTEIN cannot protect against zero-day attacks until they are identified or announced. Then DHS can formulate a signature for the attack and upload it to EINSTEIN.
  • For the 5 client applications that GAO reviewed (Adobe Acrobat, Flash, Internet Explorer, Java, and Microsoft office), the NCPS intrusion detection signatures provided some degree of coverage for 29 of 489 vulnerabilities selected for review (i.e. about 6 percent).
  • It is unclear if and how US-CERT plans to leverage vulnerability data from other DHS sources, like the Continuous Diagnostics and Mitigation (CDM) program, to help build its intrusion detection signatures. GAO asked about this but DHS could not detail its plans due to the immaturity of the CDM program.
  • EINSTEIN does not leverage the National Vulnerability Database (NVD) of security flaws maintained by the National Institute of Standards and Technology (NIST), causing gaps in NCPS signatures, among other things.
  • NCPS currently has the ability to proactively mitigate a limited subset of threats, like DNS blocking and e-mail filtering, but does not yet analyze other types of network traffic (e.g., web content), which are common attack vectors. DHS ascribed the lag in broader protections to a change in approach in 2012.
  • The NCPS information-sharing capability is not fully developed and agencies did not always view incident notifications as timely and useful. During FY 2014 only 56 of DHS’s 74 notifications had been received by the customer agencies. Of those 56 incident notifications, the 5 agencies indicated that 31 were timely and useful, 10 were not timely or useful, 7 were false positives, and 7 were not related to an NCPS intrusion-detection. The remaining notification appeared to be a duplicate notification.

The latest GAO audit of EINSTEIN has clearly gotten some attention and even generated a public response by the DHS Secretary defending the program. Questions around the effectiveness of EINSTEIN and other DHS cybersecurity efforts are not new. EINSTEIN’s effectiveness was questioned in the wake of the OPM hacks and one of the key milestones under the Cyber Strategy Implementation Plan (CSIP) released by OMB last October was for agencies that were not yet covered to receive EINSTEIN 3A coverage by December 31, 2015.

As the FY 2017 budget cycle begins and Congress looks hard at program effectiveness and spending priorities it will be interesting to see how they respond – with less funding or more?