Siobhan Gorman, writing at the Wall Street Journal tells us that a report from Richard Skinner, DHS Inspector General, will be presented to Congress today. The report highlights troubles at US-CERT in particular turnover in leadership and severe understaffing.
The problem is not with US-CERT's administration it is with their impossible mission. There appears to be some belief within DHS and the inspector general's office that the secret Einstein project is somehow going to improve cyber security.
Pointing fingers at slow deployment and lack of information dissemination is ignoring a more fundamental problem.
The Einstein project, authorized under the still classified portions of the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI), is a plan to deploy Intrusion Detection sensors (IDS) at all of the government's Internet gateways.
Even if US-CERT was fully staffed with three shifts to monitor and report on the alerts Einstein generated, even if all of the sensors were deployed, even if all of the information were distributed to every department and agency within DHS, the US would not be able to fight cyber attacks.
Let's review. IDS is a technology invented over 15 years ago. It is signature based which means it relies on a massive collection of snippets of text and code that researchers have discovered over the years are associated with unwanted network traffic, be it worms, port scans, or intrusions.
Because the original deployments of IDS were just passive data collectors there was no impact on network performance from adding new signatures so the data base grew and grew and the logs IDS generated grew and grew to the point where even a mid-size organization would receive millions of alerts a day.
IDS log management became a major problem that gave birth to two industries. Security Event Information Management (SEIM) and Managed Security Service Providers (MSSP).
SEIM productsfrom companies like Arcsight attempt to prioritize alerts so that security personnel can focus on just the important events. MSSPs (Symantec, SecureWorks, BT) use SEIM products to make it even easier for a customer to handle the flood of alerts their IDS generates.
To make the claim that they are effective MSSPs staff their SOCs (Secure Operations Centers) around the clock. US-CERT has been tasked with becoming the MSSP for DHS.But do you see the problem here?
The only tool in DHS's chest is a monitoring tool. Millions of alerts have to be filtered down. The continuous port scans, the worm traffic, the DDoS attacks, have to be winnowed down to something actionable.
And even if that were possible, attacks such as those seen by Google, the Dalai Lama's office, and the Pentagon, would still be effective.
I have been beating this drum since 2003 when I visited the Pentagon and in no uncertain terms informed them that they were wasting their money on IDS.
The ensuing public debate was well covered by the media but must have been missed by the framers of the CNCI.
Einstein is a waste of money and a distraction. Other than generating huge reports that highlight the levels of attacks targeting DHS it will do nothing to protect DHS networks.
There have been a lot of advances in network security technology since 2003. It is time for DHS to get serious about security.
* * *
Attention! Richard Stiennon's new book, "Surviving Cyberwar" has been published:
After a five month period of editing, indexing, and finally printing, Surviving Cyberwar has been published by Government Institutes, an imprint of Scarecrow Press, a division of the Rowman and Littlefield company...