Senators seek details on Einstein's performance and limitations

The top two senators on a committee overseeing the Department of Homeland Security are calling on the agency to provide documents that would highlight the capabilities and limitations of the federal government's flagship cybersecurity programs.

Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) want the Cybersecurity and Infrastructure Security Agency to provide "documents sufficient to show" the technical capabilities and any planned improvements of Einstein and the Continuous Diagnostics and Mitigation program, according to an April 5 letter the lawmakers sent to CISA's acting director Brandon Wales.

The senators are also asking for "specific information systems compromised at federal agencies shared with CISA in regards to the SolarWinds and MS Exchange cyberattacks" as well as a report CISA produced in 2020 on the efficacy of Einstein utilizing classified indicators.

Peters and Portman are the chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee.

Both senators during oversight hearings with Wales and other government cybersecurity officials have signaled they are interested in making changes to Einstein's authorization, which is due to expire at the end of 2022.

"I believe the urgency here is clear," Portman said during a March 18 hearing. "The statutory authorization expiring next year gives us a chance to do this. It seems like the significant limitations you've talked about means we need to work together to address the next authorization."

Separately, DHS Secretary Alejandro Mayorkas said during his confirmation hearing he would direct his agency to conduct reviews of both programs.

The Einstein system is meant to defend government networks at the perimeter using information on known threats and exploits. The SolarWinds and Exchange attacks leveraged zero-day flaws that were not included in Einstein's catalog of known malware. Wales has been straightforward about the fact Einstein was not developed to counter unknown threats, but the program has remained the target of lawmakers during hearings.

The senators also sent a separate letter to Chris DeRusha, the federal chief information security officer. Both letters were in part a reaction to a March 29 story by the Associated Press reporting top DHS officials' email accounts were compromised by the hacking campaign against SolarWinds, including Chad Wolf, then the acting DHS secretary for the Trump administration.

From DeRusha, the senators are requesting the current federal cybersecurity strategy as well as any planned changes, documents showing what systems were compromised either by the attack against SolarWinds or vulnerabilities in Microsoft Exchange and a list of roles and responsibilities for federal cybersecurity.

The list of roles should include "an assessment of how these defined roles prevent duplicative efforts and facilitated the federal government's response to the SolarWinds attack," according to the letter.