On January 28, 2016, the U.S. Government Accountability Office (“GAO”) released a report finding that the Department of Homeland Security’s (“DHS”) cybersecurity apparatus, the National Cybersecurity Protection System (“NCPS”), is “not fully satisfying all intended system objectives” and recommending various actions to improve NCPS’s capabilities. The report, entitled “DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System,” was submitted to the Appropriations Committees in the U.S. Senate and House of Representatives as part of GAO’s mandate to review the implementation of NCPS.
GAO had three goals in preparing the report. First, GAO sought to determine whether NCPS—also referred to as the “Einstein” program—was meeting its stated system objectives. NCPS is an “integrated system-of-systems” designed to give DHS the ability to provide four key data security services to federal entities: intrusion detection, intrusion prevention, analytics, and information sharing. Regarding intrusion detection and prevention, the report states that the system provides DHS with “a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies” and further describes how NCPS performs comparisons of network traffic to identified malicious data patterns but “does not detect deviations from predefined baselines of normal network behavior.” With respect to intrusion prevention, the report states that the “capability of NCPS to prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors,” noting that the intrusion prevention function “does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.”
On analytics, the GAO report states that NCPS supports various tools, “including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code.” Other analytics enhancements are planned for the coming years. Regarding sharing of information, the report notes that much of the planned information-sharing functionality is still yet to be developed and, in addition, federal agencies and DHS have not always been in agreement “about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications.”
The report further states that while there are metrics in place to assess NCPS’s performance, these metrics “do not gauge the quality, accuracy, or effectiveness of the system’s intrusion detection and prevention capabilities” and, accordingly, “DHS is unable to describe the value provided by NCPS.”
GAO’s second goal was to assess the extent to which “DHS has designed requirements for future stages of the system.” On this topic, the report found that while DHS identified requirements for certain capabilities, “it had not defined requirements for two capabilities: to detect (1) malware on customer agency internal networks or (2) threats entering and exiting cloud service providers.” The report notes that DHS “has not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities.”
The third goal of GAO’s NCPS review was to examine how federal agencies have adopted the system. The report found that the “23 agencies required to implement the intrusion detection capabilities had routed some traffic to NCPS intrusion detection sensors,” but only five of these agencies were receiving services relating to intrusion prevention. The report also points out that federal entities “have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors.”
Overall, the report concludes that DHS has committed “significant resources to developing and deploying NCPS, with the goal of strengthening agencies’ ability to detect and prevent intrusions on their networks, as well as the capability for analyzing network activity and sharing information between DHS and agencies.” Nonetheless, in light of the identified weaknesses, the report features nine recommendations for executive action. These include that the DHS Secretary direct the Network Security Deployment division of the Office of Cybersecurity and Communications “to determine the feasibility of enhancing NCPS’s current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines” and to “work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.” DHS agreed with the report’s recommendations.
DHS Secretary Jeh C. Johnson issued a statement in response to the GAO report on January 30, noting that the Einstein system “is not a silver bullet” and “does not stop all attacks, nor is it intended to do so.” Secretary Johnson further stated that Einstein “is part of a broader array of defenses” and the current version “only blocks cyber threats we know about.”
Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com.
