ENHANCE THE CAPABILITIES, IMPROVE THE
PLANNING, AND SUPPORT GREATER ADOPTION OF
THE NATIONAL CYBERSECURITY PROTECTION SYSTEM
* The following text is taken directly from the Department of Homeland Security website.
The National Cybersecurity Protection System (NCPS) is an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing capabilities that defend the civilian federal government's information technology infrastructure from cyber threats and includes the hardware, software, supporting processes, training, and services that the program develops and acquires to support DHS's cybersecurity mission.
The NCPS capabilities, operationally known as the EINSTEIN set of capabilities, are one of a number of tools and capabilities that assist in federal network defense. These capabilities provide a technological foundation that enables the Department of Homeland Security to secure and defend the federal civilian government’s information technology infrastructure against advanced cyber threats. NCPS advances DHS’s responsibilities as delineated in the Comprehensive National Cybersecurity Initiative (CNCI)."
The Department of Homeland Security (DHS) has the mission to provide a common baseline of security across the federal civilian executive branch and to help agencies manage their cyber risk. This common baseline is provided in part through the EINSTEIN system. EINSTEIN serves two key roles in federal government cybersecurity. First, EINSTEIN detects and blocks cyberattacks from compromising federal agencies. Second, EINSTEIN provides DHS with the situational awareness to use threat information detected in one agency to protect the rest of the government and to help the private sector protect itself.
A useful analogy for understanding EINSTEIN is that of physical protections at a government facility. The first phase of EINSTEIN, known as EINSTEIN 1, is similar to a camera at the entrance to the facility that records cars entering and leaving and identifies unusual changes in the number of cars. EINSTEIN 2 adds the ability to detect suspicious cars based upon a watch list. EINSTEIN 2 does not stop the cars, but it sets off an alarm. In sum, EINSTEIN 1 and 2 detect potential cyberattacks before they can enter the facility. The latest phase of the program, known as EINSTEIN 3A, is akin to a guard post at the highway that leads to multiple government facilities. EINSTEIN 3A uses classified information to look at the cars and compare them with a watch list. EINSTEIN 3A then actively blocks prohibited cars from entering the facility. Using classified information allows EINSTEIN 3A to detect and block many of the most significant cybersecurity threats.
The EINSTEIN system is used to protect federal civilian executive branch agencies. It is not used by the Department of Defense or the Intelligence Community. All of the EINSTEIN systems use widely available commercial technology. Importantly, EINSTEIN is not a silver bullet. Security cannot be achieved through only one type of tool. That is why security professionals believe in defense-in-depth: employing multiple tools in combination to manage the risks of cyberattacks. EINSTEIN provides perimeter defense for federal civilian executive branch agencies, but it will never be able to block every cyberattack. For example, it must be complemented with systems and tools inside agency networks, such as Continuous Diagnostics and Mitigation (CDM), and by proactive efforts from each federal agency to implement cybersecurity best practices such as multi-factor authentication and employee training.
In 2016, the Government Accountability Office (GAO) issued recommendations to enhance capabilities, improve planning, and support greater adoption of its national cybersecurity protection system (read the entire report here). We must make certain the federal government complies with the GAO's recommendations and take the following actions to strengthen U.S. cybersecurity:
Evidence:
United States. Department of Homeland Security. "National Cybersecurity Protection System (NCPS)." 26 June 2018
United States. Department of Homeland Security. "EINSTEIN." 26 June 2018
United States. Government Accountability Office. "Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater
Adoption of Its National Cybersecurity Protection System." January 2016
The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.
The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.
The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.
The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.
The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.
The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.
The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.
The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.
The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.