A marquee program designed to protect the government against cybersecurity threats is facing new scrutiny in the wake of Solar Winds Orion breach, but analysts say the program was unlikely to have ever stopped the hacking campaign.
On day one of Alejandro Mayorkas' tenure as secretary of the Department of Homeland Security, if he's confirmed as expected, he'll be under pressure from Congress to deliver answers about why the federal government's cybersecurity measures failed to detect or defend against the SolarWinds Orion hack.
Mayorkas promised at his confirmation hearing to review the agency's high profile cybersecurity programs, including the network protection program Einstein that's a key component of the National Cybersecurity Protection System.
Lawmakers, prior to the discovery of the breach in December, were already signaling for changes to those programs. In recent spending legislation, Congress suggested DHS consider layering other capabilities into Einstein, which is run by the Cybersecurity and Infrastructure Security Agency at DHS.
Einstein observes traffic flowing in and out of federal networks, allowing the government to target threats using a database of known malware. It's unlikely Einstein ever could have detected the malware implanted into SolarWinds Orion, analysts told FCW. But replacing the system wholesale to address the problem of unknown or zero-day threats would be far too costly. The most viable path forward, these cybersecurity experts said, would be to install new capabilities, necessarily bolstered by private industry.
Kiersten Todt, formerly executive director of the Commission on Enhancing National Cybersecurity was blunt about Einstein's record. "There are no real strong success stories of Einstein," she said. "When you look at what happened with SolarWinds, they essentially outsmarted Einstein."
Philip Reitinger, president and CEO of the Global Cyber Alliance, said, "The challenge with detecting activity like the SolarWinds hack is that the hack is accomplished through 'authorized' malware."
To detect that malware, a defensive system would either have to deny all communications that are not explicitly whitelisted or establish a user activity baseline capable of singling out abnormalities for investigators to pursue. "That can be difficult to do and resource intensive," he added.
Michael Hamilton, a former vice chair for a government coordinating council focused on critical infrastructure protection, described a similar method as the most likely way forward for DHS to improve Einstein. Although its precise capabilities are classified, Hamilton speculated the program's age -- Einstein was originally developed in 2003 -- is a sign it may not be baselining user activity in the way he and Reitinger described.
Hamilton said that "it's not likely they throw it out and start over," noting the program's cost. "My understanding is that it cost $6 billion to develop."
A CISA official declined to comment specifically on the program's methods when asked about the analysts' suggestion.
"Einstein intrusion detection and prevention capabilities primarily rely on commercial-off-the-shelf (COTS) intrusion-detection capabilities, which utilize CISA's access to cyber threat intelligence to detect, and block where appropriate, suspected malicious cyber activity," the official said.
Whatever new capability or program DHS establishes, Todt said it must be predicated on industry playing a larger role than it does with Einstein.
"Government cannot do this by itself nor should it," she said. "I think Einstein was predicated on government doing it by itself."
Mike McNerney, co-founder and chair of the Institute for Security and Technology, said another fundamental challenge Einstein faces is the government's ongoing transition to the cloud.
"While it [Einstein] may continue to be a part of the government's security approach, there are other products and technologies better suited for the cloud," he said. "Combined with greater access control initiatives, the more networked-based Einstein is arguably less useful."
In addition to any review Mayorkas begins, the White House has also started accounting for the damage done in the wake of SolarWinds Orion. Within days of being sworn in, Biden ordered the new director of national intelligence, Avril Haines, to provide a sweeping intelligence review of the hack.
Sen. Maggie Hassan (D-N.H), a member of the Senate committee responsible for overseeing DHS, said Biden must "engage in a top-to-bottom review of how this was able to happen and go undetected for so long, and what needs to be done to strengthen the federal government's cybersecurity."