Audit: DHS Cyber Defense Fails to Detect 94 Percent of Hacks

Federal agencies remain extremely vulnerable cyber targets two years after OPM breach

According to a sanitized version of a secret federal audit, the firewalls operated by the Department of Homeland Security, meant to detect and prevent nation-state attacks, are completely ineffective. The audit found the federal government’s primary perimeter defense system, known as EINSTEIN, depends only on known patterns of attack (signature detection) to spot suspicious traffic and fails to detect 94 percent of commonly known vulnerabilities — or even check web traffic for malicious content.

In addition, the audit discovered that the prevention feature of the system is only deployed at five of the 23 major nondefense agencies, one of which was the Office of Personnel Management.

This cave-dwelling approach guarantees that zero-day attacks by definition will always be successful against our national cyber defense system.

The auditors’ findings included the conclusion the $6 billion DHS system does not combat hackers, nor “should it be relied on to provide effective cybersecurity-related support to federal agencies.” They went on to say that “The overall intent of the system was to protect against nation-state level threat actors,” yet EINSTEIN completely missed these so-called advanced persistent threats, which are commonly used by nation-state actors.

EINSTEIN “did not possess intrusion-detection signatures that fully addressed all the advanced persistent threats we reviewed,” the authors of the audit said.

Even though the Department of Homeland Security sponsors the standard national database of security flaws (CVEs) maintained by the National Institute of Standards and Technology, EINSTEIN does not sync with that database and consequently failed to flag more than six percent of the 489 vulnerabilities identified. That means that even if the CIA were not hoarding these known vulnerabilities in Adobe Acrobat, Flash, Internet Explorer, Java and Microsoft Office, our own national cyber-defense system failed to detect 94 percent of their exploits anyway.

Do you support individual military members being able to opt out of getting the COVID vaccine?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

[lz_graphiq id=ebMOLiWeuFf]

The zero-day attack that blew through EINSTEIN’s defenses at the Office of Personnel Management in 2015 is a classic example of the type of attack that our current federal government defenses cannot handle. News flash: Zero-day attacks are the only attacks that the private sector is concerned with today. All of the “signature-based” attacks are already handled by various cybersecurity technologies. Someone at DHS might want to look outside the confines of the Washington swamp.

Most of today’s advanced cyber-attacks hide in network flows and cannot be seen or detected by EINSTEIN because the system instead relies on manual intervention by way of adding signatures after a malicious attempt is unearthed. This cave-dwelling approach guarantees that zero-day attacks by definition will always be successful against our national cyber defense system.

To make matters worse, the Obama administration’s vaunted information sharing-initiatives are now found to be essentially worthless, according to GAO officials. The IT infrastructures at each agency differ, and EINSTEIN apparently must be tailored to each separate environment. One complaint held that EINSTEIN would disrupt their agency’s email system.

DHS’s information-sharing initiatives have met with frequent disagreements among agencies about the number of notifications sent and received and their usefulness,” according to the GAO auditors.

The agencies claim they received only a quarter of the notifications Homeland Security said it had sent in the audited period, and the ones that did reach them served no purpose, according to the audit. Of the alerts that were communicated successfully, almost half were too slow, useless, false alarms, or unrelated to intrusion detection.

Meanwhile, as seasoned Washington observers might have guessed, the DHS has created a variety of metrics related to EINSTEIN, but “none provide insight into the value derived from the functions of the system,” the auditors said.

[lz_related_box id=615425]

I don’t have to tell anyone reading this that if only a tiny bit of this incompetence occurred in the private sector, even at non-profits, heads would roll. It may be understandable if we shrugged if a government agency screwed up dealing with say, climate change, but are we really going to ignore this level of dangerous disregard for our national defense? What if our military started to behave like the troops in Stripes or Down Periscope? Would that be funny?

This is not funny. Heads should roll. And, this President needs to quickly understand that the vast government under his charge is protected by antiquated technology and failed detection and prevention techniques, surrounded by bureaucrats who make a living covering their own interests while the rest of ours are hung out as targets.

Homeland Security now says they weren’t required to link up the signatures with the vulnerability database but that they acknowledge the deficiency and plan to address it soon in the future, according to the audit response. Soon, but in the future. Sometime. Later. Maybe. Because, you know. They weren’t required.

Steve King is the COO and CTO of Netswitch Technology Management.

Join the Discussion

Comments are currently closed.