DHS official: Einstein 3A is 15 years behind the times


Written by

The technology behind the Einstein 3A intrusion detection system, a key plank of the Obama administration’s cybersecurity strategy that it has pledged will cover all federal agency networks by the end of the year, is a decade-and-a-half removed from being considered state of the art, a senior Homeland Security official acknowledged Thursday.

“Einstein 3 is really where we needed to be 15 years ago,” said Greg Touhill, deputy assistant secretary of cybersecurity operations and programs at DHS. “In my personal view, we are a little lean on this capability.”

Touhill, along with a number of cybersecurity experts, spoke about why the government is so far behind when in comes to cybersecurity during a panel at an event held by the Chertoff Group. Among the reasons: Only recently have agencies realized they need to better assess their risk when it comes to their IT assets, Touhill said.

“We are not managing risk very well,” he said. “We don’t see folks who have qualified or quantified risk in the cyber sector. When we are doing risk assessments, we’re not managing at the right level.”

Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks, said a big reason for breaches like what occurred at the Office of Personnel Management earlier this year is the “tremendous procedural hurdles” agencies need to go through to buy, secure and allow technologies to touch federal networks.

“It took years to deploy Einstein because departments and agencies would say, ‘I don’t know if I can put DHS-procured technology on my network,’ Gillis, who spent six years in the cybersecurity directorate at DHS, said during the panel. “In the meantime, [agencies] lacked IDS [intrusion detection system] capabilities. Now with Einstein 3A, it’s been a big conversation with the ISPs, and then the same conversation with agencies about ‘Can I put these protective technologies here?’ All of that leads to massive delays and jeopardizes the operation of networks.”

Touhill said that despite the bureaucratic hurdles, Einstein 3A has been deployed in 49 percent of federal agencies, with 80 percent expected to be covered within the next year. He said this push, which has been buoyed by DHS Secretary Jeh Johnson, is crucial so DHS can have a full view of the government’s network.

“The Einstein system is the only system that can give situational awareness across all of the federal government,” he said. “One thing we don’t want to do is have everyone go off on their own and have their own discreet view, because we want to see the whole battle space.”

But that’s precisely one of the things that bothers some department heads. ‘You are dumping all that data up the chain without us having a chance to look at and rationalize or explain it [first],’ said one federal official, who asked to remain anonymous. ‘It’s a bit Big Brother.’

Mark Weatherford, a senior adviser of the Chertoff Group said this type of protection is vital in helping federal agencies figure out what exactly is connected to their network.

“I’m positive that you can go to any federal government organization, or private organization, and you can say, ‘What is the one thing that if you lost it that would put you out of business?’ And a lot of CEOs [or department secretaries or agency directors] can’t answer that question. I find that absolutely baffling,” Weatherford said.

However, Weatherford said that with federal CIO Tony Scott pushing for faster Einstein deployment and better risk practices, things are finally moving in a positive direction.

“He is doing some things that nobody in the executive branch has ever done,” Weatherford said. “We really need to support him because what he is doing and what he is talking about is driving change in the federal government.”