The Department of Homeland Security plans to hire IT experts who can support Einstein and other security technologies.
The Department of Homeland Security (DHS) is making progress on the deployment of its Einstein next-generation cybersecurity system and plans to bolster its IT staff with experts who can support it and other security technologies, a department official told the Senate this week.
Einstein 2 has already been deployed at 15 of 19 large departments and agencies that maintain their own locations for the Trusted Internet Connections (TIC) initiative, which reduces the number of external connections the federal network has to the Internet to improve security, said Sean McGurk, director of the Control Systems Security Program in the DHS National Cyber Security Division (NCSD).
McGurk testified before the House Committee on Oversight and Government Reform's Subcommittee on National Security, Homeland Defense, and Foreign Operations Wednesday about the current cybersecurity threat to the U.S, which he described as dire.
Last year, Einstein 2 sensors registered a total of 5.4 million hits--or alerts triggered by detection of a known security threat--at an average of 450,000 hits per month or nearly 15,000 hits per day, McGurk said. These numbers are indicative of the kind of security threat the federal network currently must be protected against.
"We face persistent, unauthorized, and often unattributed intrusions into federal executive branch civilian networks," McGurk said. "These intruders span a spectrum of malicious actors, including nation states, terrorist networks, organized criminal groups, or individuals located here in the United States. They have varying levels of access and technical sophistication, but all have nefarious intent."
Einstein is a multi-phase project to install an early-warning intrusion prevention and detection system. As it rolls out Einstein 2, the DHS also simultaneously is testing its next phase, Einstein 3, which will enable it to automatically detect and disrupt malicious activity before it harms critical networks and systems.
On Monday, another DHS official--Phil Reitinger, deputy under secretary of the National Protection and Programs Directorate--told the same committee that the Obama administration's recent cybersecurity legislative proposal should give the department more authority to advance its work on Einstein significantly. The proposal will give the DHS more autonomy to act on behalf of the federal government on cybersecurity matters.
To support Einstein and other cybersecurity plans, the DHS needs more qualified professionals, and is prepared to hire them, McGurk said. The NCSD currently has more than 230 cybersecurity experts on staff and has "dozens more in the hiring pipeline," he said.
To ensure there are qualified cybersecurity experts in the job market for hire, the DHS is working with other agencies on educational initiatives. For instance, the department has co-sponsored with the National Security Agency the Centers of Academic Excellence in Information Assurance Education and Research programs, the goal of which is to produce more professionals with IT expertise in various disciplines, he said.
Feds To Test Cybersecurity System
The Department of Homeland Security plans to work with a commercial Internet service provider and one federal agency to carry out a pilot test of Einstein 3, an intrusion detection and prevention system that will eventually be used to bolster federal agencies' information security postures.
DHS detailed the plans in a privacy impact statement -- required for new IT systems in government -- that it published last Thursday, along with some of the deepest detail yet of the partially classified system, the technology for which has largely been developed by the National Security Agency.
Einstein 3 will follow up on the Einstein 2 intrusion detection system, which is currently readying for operational deployment, and the first Einstein system, which collects network traffic data. It has been the subject of some controversy as observers have expressed privacy concerns in the media and on Capitol Hill about the government's use of data it collects.
According to the privacy impact statement, the pilot program will solidify the processes required to "manage and protect information gleaned from observing cyber intrusions" and will help DHS map out its path for implementing Einstein 3 more widely.
Einstein 3 will do real-time, deep packet inspection and "threat-based decision making" on network traffic at the edge of federal agency networks. The effort will redirect agency Internet traffic to DHS cybersecurity systems, which will apply pre-defined signatures to the traffic to determine which traffic might be associated with cyber threats and how to respond.
That traffic will be made available to cybersecurity analysts at the United States Computer Emergency Readiness Team for review, while the rest of the traffic won't be retained by DHS. US-CERT will then automatically alert federal agencies of network intrusion attempts. Thus, Einstein 3 could bolster information sharing between US-CERT and federal agencies.
Einstein 3 will make use of the capabilities of both Einstein 1 and 2 to help build its own IDS capabilities, but with greater speed and processing power and both classified and unclassified signatures. Many of the analytical tools for managing security information will also remain the same as those currently being used.
According to the statement, certain attack alerts may be sent to the NSA so that the NSA can carry out its mission of signals intelligence. "This initiative makes substantial and long-term investments to increase national intelligence capabilities to discover critical information about foreign cyber threats and use this insight to inform EINSTEIN 3 systems in real time," the privacy impact statement says. "DHS will be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and [Department of Defense] information assurance missions for use in the EINSTEIN 3 system in support of DHS's federal system security mission."
DHS will keep the data the pilot collects for as long as one year after the pilot is done, or may purge some data early, depending on US-CERT's determination of the data's usefulness.
DHS' test will take place over four phases, one to assess the ISP's ability to redirect traffic, another to install the technology, a third to bring the Einstein pilot online and ramp up the tests, and a fourth to carry out an extended test and review of capabilities over a full year. The pilot will be limited to a single federal agency. However, it's not clear when the pilot will begin.