Analysis: Einstein and U.S. cybersecurity

By SHAUN WATERMAN, UPI Homeland and National Security Editor  |  March 3, 2008 at 1:34 PM
share with facebook
share with twitter

WASHINGTON, March 3 (UPI) -- The Einstein program -- the most significant element yet unveiled of the classified multibillion-dollar cybersecurity initiative President Bush signed last month -- will still leave the U.S. government's IT security lagging the private sector, say lawmakers and industry experts.

At a hearing last week on Capitol Hill, officials faced close, skeptical questioning about the program, an intrusion detection system that will automatically monitor and analyze Internet traffic into and out of federal computer networks in real time -- allowing officials at the Department of Homeland Security to scan for anomalies that might represent hackers or other intruders trying to gain access or steal data.

"There are still some gaping holes," said Rep. James Langevin, D-R.I., of the House Homeland Security Committee.

Officials at the hearing linked Einstein with the White House Office of Management and Budget's Trusted Internet Connections initiative. TIC requires all federal departments and agencies to report on all their external network connections, with the aim of reducing the current 4,000 or so across the federal government down to 50 by June this year.

Einstein will be deployed at all those points of access, Scott Charbo, the Homeland Security official responsible for the program, told United Press International in a recent interview.

Departments and agencies will "deploy the sensors to the portals identified" as being among the 50 or so that will remain open, he said.

But some Democrats and industry observers are skeptical about Einstein's capabilities.

"It is not timely," said Rep. Jane Harman, D-Calif., "I don't get any sense of urgency, I don't think much of it will work."

Harman added that the private sector considers Einstein "too passive" and believes "it doesn't deliver information in real time."

Intrusion detection and analysis programs like Einstein "are absolutely standard in the private sector," Casey Potenzone, chief information officer of computer security firm Uniloc, told UPI. "It is not revolutionary or state of the art," he added, calling the rollout of the program across federal networks "very logical and something that should have been done a long time ago."

Ken Silva, formerly a senior official with the National Security Agency now in the private sector, told UPI that one of the problems that had delayed the policy process was the lack of clear lines of authority.

"Why didn't they do that before? Who would decide to? There was no clear decision-maker in that process," he said, noting that the directive signed last month by President Bush had made the National Security Agency "the central authority to oversee security for all government networks."

"Until you have one central authority, how do you make a (security) mandate" (for federal network managers), said Silva, who is now chief technology officer of the company that runs the backbone of the U.S. Internet infrastructure, VeriSign Inc.

Robert Jamison, undersecretary for national protection and programs at the Department of Homeland Security and Charbo's boss, told the hearing that Einstein, currently deployed at DHS and a handful of other government agencies, was being re-vamped for its rollout across all the federal networks.

Einstein currently collects information about traffic flows, and network managers analyze it daily, looking at where on the Internet so-called data packets that make up Web traffic are headed. But Jamison told the hearing that the new version, for which officials have requested an additional $115 million this year, will collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments.

"Where we want to go is we want to be able to detect the malicious code that we know about," he said. "When an adversary or an intrusion has a signature of malicious code, we want the (Einstein) sensors to be able to scan for that malicious code and alert us."

Charbo told the hearing another change being made was to get security clearances for chief information officers and their top IT security staff, "so that no longer are they just getting an unclassified brief."

"Quite honestly," he added, "what you get in that (unclassified) state is just a piece of information that's very difficult to interpret back to any attribution at all or to identify what the gaps are."

In response to privacy concerns, Jamison noted that Einstein's capacity was no different from that in commercial IT security systems that federal departments already employed.

"They all have commercial capability to do intrusion detection," he said. "What is different is that we're going to have comprehensive coverage" across federal networks, and that all the information about potential intrusions or malicious code would flow to a central point, the U.S. Computer Emergency Readiness Team at DHS.

"We've had our privacy folks and our civil rights folks involved in this from the very start," he told the hearing, adding a required privacy impact assessment for the new program was being prepared.

Silva noted that even checking for potential malicious code, which can be done by a program that automatically scans incoming e-mail for instance, was not a problem in privacy terms.

"That kind of analysis and monitoring is quite different from anyone actually reading the content" of an e-mail, he said.

Because hackers, including those believed employed by nation states like China, are now so adept at fooling users into downloading malicious software from the Internet or e-mail, and the software can hide so deeply in a computer's operating system, many see traffic analysis -- which can spot a computer worm propagating itself through a network for instance -- as a vital part of any IT security strategy.

Charbo told UPI there were currently no plans to look at one of the more extreme options currently being considered by network security managers at the Department of Defense -- that of banning all non-official traffic.

"We'll be looking at a lot of what (the Department of Defense) is doing," he said, but added that the idea of TIC was to provide a baseline in terms of security policies upon which agencies could then build.

Certainly policies will change over time," he said. "They'll be policies for all federal networks … agencies can make more restrictive rules for the networks they manage."

Silva acknowledged that security on U.S. government unclassified networks had been poor but said the technological centralization of Einstein, and the policy centralization of putting the NSA in charge, was the foundation for success.

"We've taken the first step," he said.

Related UPI Stories
Trending Stories