There is broad recognition that federal network security is more than just a government IT issue, but rather something foundational to the personal privacy of Americans’ sensitive information and national security. The federal government has learned this truism the hard way far too often—from the China-backed OPM breach that exposed sensitive information on over 20 million Americans to the Russia-backed SolarWinds cyber espionage campaign that resulted in exposure of incalculable amounts of non-public government data across nine agencies.
Federal civilian networks, which encompass those outside of the Department of Defense (DoD) and the Intelligence Community, represent a sprawling conglomeration of over 100 agencies’ digital enterprises. While the Cybersecurity and Infrastructure Security Agency (CISA), the civilian operational lead for cybersecurity and OMB (interagency “referee”) nominally sit at the middle of the so-called “.gov” space, centralized, real-time visibility has been a persistent challenge.
When discussing CISA’s current offerings to support .gov security, two programs are frequently mentioned in tandem—Continuous Diagnostics and Mitigation (CDM) and EINSTEIN. The congressional authorization for EINSTEIN expires in December 2022, which presents a compelling opportunity to rethink holistically the overarching .gov security posture. These strategic conversations should build on recent policy improvements from cyber-focused executive orders, security improvements from related legislative activity, and maturation in CISA’s capabilities governance policies (such as TIC 3.0).
The sunset of the current EINSTEIN authorization provides a unique opportunity to force necessary evolutions of the program at a moment where there is bipartisan interest in better fortifying federal networks.
EINSTEIN is the dominant tool in CISA’s manifestation of the 2015 legislative intent—formally called the National Cybersecurity Protection System (NCPS). In practice, EINSTEIN and NCPS are often used synonymously.
In simplest terms, EINSTEIN provides perimeter defense for Federal Civilian Executive Branch Agencies. In totality, it represents the evolution of three iterations—E1 that provided net flow data (collecting and monitoring network traffic flow), E2 to provide signature-based intrusion detection, and E3A to leverage capability of commercial internet service providers (ISPs) to more nimbly detect potential cyber incidents and prevent compromise.
The EINSTEIN Program was launched in 2003 with an estimated lifecycle cost of well over $5 billion to date. It was formally authorized through the Cybersecurity Act of 2015, which required civilian agencies to begin utilizing the program, a significant milestone in ensuring full intrusion prevention coverage across the government.
Specifically, that legislation authorized a “Federal Intrusion Detection and Prevention System” that has the “capability to detect cybersecurity risks in network traffic transiting or traveling to or from an agency information system; and capability to prevent network traffic associated with such cybersecurity risks from transiting or traveling to or from an agency information system or modify such network traffic to remove the cybersecurity risk.”
The law also acknowledges concerns around the inherent shortcomings of EINSTEIN’s underpinning technology by requiring DHS to “regularly deploy new technologies and modify existing technologies to the intrusion detection and prevention capabilities… as appropriate to improve the intrusion detection and prevention capabilities.”
While EINSTEIN can continue operating after its seven-year authorization expires in December 2022, reauthorization presents an opportunity to strategically reorient a defense in depth posture for federal cybersecurity.
“Necessary But Not Sufficient”
There is growing recognition that EINSTEIN represents, at best, the most basic and elementary blocking and tackling for network defense—a reality reinforced by a slew of GAO reports and congressional oversight.
Post SolarWinds Scrutiny—Diagnosing the Wrong Problem
In the wake of SolarWinds, EINSTEIN came under significant public scrutiny for having “missed” the Russian-backed campaign. This narrative spread beyond cybersecurity and national security trade press. While EINSTEIN’s limitations have become abundantly clear, the appropriate question post SolarWinds should not have been “why did EINSTEIN not detect SolarWinds,” but rather “what happened to the complementary suite of tools that theoretically could have detected SolarWinds?”
This reality was further highlighted in a letter from the leadership of the Senate Homeland Security and Government Affairs Committee to CISA in the spring of 2021 that recognized the “inherent limitation of perimeter-based intrusion detection systems” as they are “ineffective at identifying or blocking sophisticated and novel attacks.”
To increase the security of federal civilian networks, Congress should implement the following recommendations during the EINSTEIN reauthorization process:
This paper is a product of the Forum for American Leadership’s Technology and National Security Innovation Working Group.
Policymakers should support the development and implementation of a focused technology policy in key areas where government support can benefit U.S. economic and national security. Read FAL's recommendations.
Five years have passed since Washington declared China as its primary national-security challenge. Xi Jinping’s approach to Putin’s war underscores the need to get this competition right. Read FAL's six principles for China competition.
The NSS should guide policies and investments that protect and sustain the American experiment of republican liberty, and a world in which it can flourish, from the despotic, threatening intentions and efforts of adversarial powers, principally the People’s Republic of China. Read more.