DHS Einstein intrusion detection system

DHS coming up short on Einstein deployment

Deploying the governmentwide intrusion detection system known as Einstein is taking longer than expected, and development of the next stage of the system, scheduled for completion in 2015, is costing more than expected.

Einstein, which is being deployed to Trusted Internet Connection access providers for agencies in the .gov domain, now serves 17 of 18 major agencies, said Brendan Goode, director of Network Security Deployment in the Homeland Security Department's National Cyber Security Division. But there are more than 100 departments and independent agencies in the domain.

"That still leaves a bunch of agencies not covered," Goode said.

The delay in fully implementing the system has earned that phase of the project red status on the government's IT dashboard. The next major phase, implementing intrusion prevention in the system, still is on track to be finished by the end of calendar 2015 but the cost currently is about $41 million over the estimated $237 million, an overrun that gives it a yellow status.

Metrics for operational performance of the current iteration of the Einstein governmentwide intrusion detection system
  FY2013 target Actual
Percent of executive branch civilian agency networks monitored for cyber intrusions
Percent of high priority alert-level events detected and validated
Average minutes from threat identification to ticket generation
Percent of identified high vulnerabilities where mitigation strategies were provided
Average system availability

Source: Government IT Dashboard

Overall, however, the complex 13-year program has a green status. Recently resigned DHS CIO Richard Spires had said Einstein has been "delivering needed capabilities" to agencies and assessed the program as a moderately low-risk investment. If it performs as intended, it would provide a powerful tool for automating the security of government networks.

Goode outlined the goals and status of Einstein, the operational keystone of the National Cybersecurity & Protection System (NCPS), in a briefing to the American Bar Association's standing committee on law and national security. Goode, an electrical engineer by training, said his job as head of network security is to deliver the technical capability to enable NCPS.

The current iteration of Einstein is a signature-based system that identifies intrusions. The next step, expected to be completed in September, is to develop information-sharing capabilities for it, enabling automated machine-to-machine exchanges to deliver alerts as an incident is under way so that response and remediation can begin immediately.

The next major iteration will be Einstein 3 Advanced, which is intended to not only detect but also block intrusions are they occur. Work on this phase began in 2008. A pilot of the IPS capabilities has been conducted in the Energy Department, Goode said.

Another major effort of Goode's office is Enhanced Cybersecurity Services (ECS), an expansion of the Defense Department's Defense Industrial Base pilot, in which classified cybersecurity intelligence is shared with cleared non-government personnel working with defense contractors. Under ECS, Homeland Security would share unclassified and classified cybersecurity information with companies that provide Internet, network and other communication services.

"ECS is intended to support U.S. critical infrastructure," DHS said in a privacy impact assessment of the program.  "However, pending deployment of Einstein intrusion prevention capabilities, ECS may also be used to provide equivalent protection to participating federal civilian executive branch agencies."

Goode said that ECS is starting off slowly but that there is a "robust engagement" with a number of companies.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected