DHS' network monitoring system ready for upgrade

The Homeland Security Department will improve the network monitoring system known as Einstein during the next year, taking it from a passive to real-time system and expanding it governmentwide, officials said. Robert Jamison, undersecretary of the department's National Protection and Programs Directorate, told lawmakers Feb. 28 that part of the Bush administration’s cyber directive is to add new software to the once-voluntary system to improve how it analyzes federal networks and looks for malicious code. Under the cyber initiative, the Office of Management and Budget and DHS require every agency to use Einstein. DHS’ U.S. Computer Emergency Readiness Team runs the program that as many as 15 agencies use now to monitor traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of unwelcome activity on federal networks. House members criticized Einstein Feb. 28, saying the administration needed to do more. “The private sector considers Einstein too passive and doesn’t deliver information in real time,” said Rep. Jane Harman (D-Calif.) during a hearing on the administration’s cyber directive held by the Homeland Security Committee. Jamison said changes underway would improve the system. Presently,  Einstein captures data once a day and looks at IP addresses, the size of the data packets and overall traffic patterns, she said. Karen Evans, OMB’s administrator for e-government and information technology, said Einstein analysis is now done manually, but a lot of that work will be automated in the next version. After the session, Jamison said DHS was working on Version 2 that would add commercial software to improve its functions. “The big issue is having a good flow of information so we can analyze it in real time,” he said. “We also want the intrusion protection devices to be consistent across all external points in government.” Jamison added that the next Einstein version also would provide comprehensive situational awareness. Evans said Einstein will provide agencies information that they could take corrective action and reduce their risks more quickly than at present. A large portion of the President Bush’s fiscal 2009 $80 million budget increase for U.S. Cert would go to updating and implementing Einstein across the government, and the administration is moving $115 million inside DHS to further deploy Einstein in 2008. Jamison said DHS also would upgrade U.S. Cert’s facility and expand its capabilities to detect malicious malware with the additional funding in 2009. “We are aggressive about deploying it this year,” he said. However, Harman expressed concerns about the privacy implications that could come from Einstein’s expanded capabilities, saying people may view this as the government spying on them. Jamison tried to alleviate her and others’ concerns by saying that DHS will not only write a Privacy Impact Statement for the new version of the program, but he brought a chart to the hearing showing exactly the type of data Einstein picks up now and will continue to pick up later. “This is no different than what any commercial product does,” he said. “We will not look at content of the traffic.” Evans added that the implementation of Einstein will coincide with agencies moving to the General Services Administration’s Networx telecommunications system. Agencies should be down-select or come up with an acquisition strategy by the end of March to ensure they have time to complete the transition to Networx from FTS 2001, Evans said. Evans said GSA needs agencies to figure their strategy to ensure they can pay agency transition costs. “This is an incentive for agencies to hit these dates,” Evans said. “If agencies don’t hit those dates, GSA carries the liability and that affects the potential savings.” Evans also said the CIO Council has completed a cost-benefit analysis on why agencies should move to Networx. “We will show agencies the way and why Networx is advantageous,” she said. “The preliminary details of the analysis are supposed to come to me this week.” GSA has received statements of work from 21 agencies and expects at least 58 more by September, Evans told lawmakers. “Networx will enable agencies to do more enhanced security services,” she said. “A lot were not available when FTS 2001 was awarded.