I am finally getting around to filing this report, but I thought I would post the section on cyber security. It is very short. Here is the link to the full report:
If anyone has any unclassified technical material on Einstein 2 (or their experiences with it) I would love to read about it. The closest I have found is a "sample flow record" from 2008 privacy impact report.
In particular, I would like to see more information about what it reports and the format.
Todd
From the GAO's
DEPARTMENT OF HOMELAND SECURITY Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/11
QHSR mission: Mission 4: Safeguarding and Securing Cyberspace
Functional area: Critical infrastructure protection – cyber assets
Key progress: DHS expanded its efforts to conduct cyber security risk assessments and planning, provide for the protection and resilience of cyber assets, and implement cyber security partnerships and coordination mechanisms. For example, DHS developed the first National Cyber Incident Response Plan in September 2010 to coordinate the response of multiple federal agencies, state and local governments, and hundreds of private firms, to incidents at all levels. DHS also took steps to secure external network connections in use by the federal government by establishing the National Cybersecurity Protection System, operationally known as Einstein, to analyze computer network traffic information to and from agencies. In 2008, DHS developed Einstein 2, which incorporated network intrusion detection technology into the capabilities of the initial version of the system. Additionally, the department made progress in enhancing its cyber analysis and incident warning capabilities through the establishment of the U.S. Computer Emergency Readiness Team, which, among other things, coordinates the nation’s efforts to prepare for, prevent, and respond to cyber threats to systems and communications networks. Moreover, since conducting a major cyber attack exercise, called Cyber Storm, DHS demonstrated progress in addressing lessons it had learned from this exercise to strengthen public and private incident response capabilities.
What remains to be done: Key challenges remain in DHS’s cyber security efforts. For example, to expand its protection and resiliency efforts, DHS needs to lead a concerted effort to consolidate and better secure Internet connections at federal agencies. Further, DHS faced challenges regarding deploying Einstein 2, including understanding the extent to which its objective was being met because the department lacked performance measures that addressed whether agencies report whether the alerts represent actual incidents. DHS also faces challenges in fully establishing a comprehensive national cyber analysis and warning capability. For example, the U.S. Computer Emergency Readiness Team did not fully address 15 key attributes of cyber analysis and warning capabilities. These attributes are related to (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. For example, the U.S. Computer Emergency Readiness Team provided warnings by developing and distributing a wide array of notifications; however, these notifications were not consistently actionable or timely. Additionally, expectations of private sector stakeholders are not being met by their federal partners in areas related to sharing information about cyber-based threats to critical infrastructure.
|