DHS Official: Technology Behind Einstein ‘About 25 Years Old’ by Giuseppe Macri
Obama administration officials met in Washington Thursday to lay out President Obama’s new proposals for boosting private and public sector cybersecurity, including improving the Department of Homeland Security’s Einstein automatic threat detection system — a program one official said is based on quarter-century old technology.
“I came to government from a career in the private sector about two-and-a-half years ago, and the first thing they said to me when I got in was, ‘You’re a scientist, look at this Einstein thing, and tell us about it — and by the way, the technology’s 10 years old,’” DHS’s chief cyber official Dr. Phyllis Schneck told a New America Foundation Open Technology Institute panel Thursday.
In 2003 DHS rolled out the first iteration of Einstein, which automatically detects and prevents cyber intrusions. Since then, the program has been repeatedly criticized by officials and experts in and out of government as outdated and over budget.
“It basically blocks things that it knows are bad,” said Schneck, who serves as deputy undersecretary for cybersecurity and communications for the National Protection and Programs Directorate. “That technology, as I sat down and told folks later, is not 10 years old. And they looked at me and got ready for a large defensive discussion, and I said that in fact, it’s about 25 years old.”
A January report analyzing the $6 billion program from the Government Accountability Office found one of the system’s major flaws is it’s ability to detect and thwart only known cyber threats, as opposed to new, previously unencountered attacks.
Einstein was the subject of significant congressional scrutiny following the massive cybersecurity breach detected last year at the Office of Personnel Management, where sensitive information belonging to more than 20 million past and present federal employees and contractors was left vulnerable.
“I’ll go ahead and say the letters O-P-M — I wasn’t going to, but I said it,” Schneck said. “That piece of the event that’s so well reported was actually just discovered while that agency was making US-CERT [United States Computer Emergency Readiness Team] changes and mitigations and improvements to their network.”
Schneck defended the program as a single piece of a larger federal cybersecurity endeavor that spans all government agencies. The blocking part of the program has expanded from 20 percent to 50 percent in the last year, while the detection portion already covers everything, according to the undersecretary, who previously worked for McAfee.
“Einstein didn’t block it, we hadn’t seen it before — that is part of the program,” Schneck said of the OPM hack. “That’s like a vaccine. Everybody’s got a Measles vaccine — we don’t stop getting a Measles vaccine because there are other diseases, because the measles is still out there.”
The deputy undersecretary said after they found the OPM threat, Einstein allowed them to rewind web traffic back years to discover the same intrusion in other agencies, including at the Department of the Interior.
Future plans for improving the program include big investments in Silicon Valley, where DHS opened its first office last week to partner with the private sector on developing new defensive technologies as part of the White House’s Cybersecurity National Action Plan announced earlier this week.
The plan also includes increasing the nation’s cybersecurity budget over last year’s by $5 billion for a total of $19 billion, the creation of a presidential commission to plan and oversee a long-term cybersecurity improvement plan and the creation of a federal chief information security officer — a position most major companies designate to oversee their cybersecurity — to lead the changes.
“It is no secret that too often government IT is like an Atari game in an Xbox world,” President Obama wrote in a Wall Street Journal op-ed Tuesday. “The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way. Going forward, we will require agencies to increase protections for their most valued information and make it easier for them to update their networks.”
Schneck said DHS is taking the lead role in enacting those changes.
“We are already using analytics to detect things we haven’t seen before,” Schneck said. “So my analogies are going from a system of vaccines — which is very necessary, the Measles are still out there — but we’re going to be building an immune system, taking all of our networks and turning that into an ecosystem where, when your body gets a cold, your body fights it.”
“We are definitely ready,” Schneck said.