Brandon Wales, acting director of the Cybersecurity and Information Security Agency (CISA) today defended the value of CISA’s EINSTEIN cyber defense program against criticism leveled by the ranking member of the Senate Homeland Security and Governmental Affairs Committee and suggested that the program be improved rather than scrapped.
EINSTEIN is CISA’s intrusion detection system that monitors Federal civilian networks and their network gateways for suspicious traffic as part of the National Cybersecurity Protection System (NCPS).
The value of the system has come under fire from some quarters for its apparent inability to stop the Russia-backed attack on Federal and private sector networks via malware distributed through SolarWinds Orion security patches.
At a Senate Homeland Security hearing today that focused on the SolarWinds and Microsoft Exchange hacks, ranking member Sen. Rob Portman, R-Ohio, took aim squarely at EINSTEIN as one culprit in the faulty defense of Federal networks and suggested that the program be reevaluated when it comes up for renewal in 2022.
“Despite all the increased funding for cybersecurity … the Federal government never caught this attack,” Sen. Portman said of the SolarWinds breach. He said the attack was underway for a year before first reported publicly by cybersecurity services provider FireEye – which itself was breached in the exploit.
“We need to take a hard look at the Federal cybersecurity strategy … to see what we are doing wrong,” the senator said.
In particular, he singled out the $6 billion spent thus far on the EINSTEIN program, and said it was “clearly not effective in stopping the attack.” The senator said the program was up for reauthorization next year, and that “it’s a good time to consider its utility and how it can be improved.”
“We need to keep the pieces of EINSTEIN that provide significant value,” and look for other ways to improve the program, Wales said in response. “We need to supplement EINSTEIN” with other tools, he continued, that will “look inside the network for threats.” The CISA official added that the extra $650 million provided to the agency through the American Rescue Plan Act will provide “a down payment” for accomplishing that.
During the hearing, Wales mounted a vigorous defense of the EINSTEIN program, saying that it “continues to perform as it was designed,” and offers protection “against the things it was designed to protect against.”
He explained that the program looks at traffic moving in and out at the network perimeter, and was “not designed to detect unknown threats.”
As to EINSTEIN’s failure to stop the SolarWinds attack, “there was no intrusion detection system that detected” the exploit, Wales said. He added that FireEye did not discover it was breached by using an intrusion detection system, and explained, “it would not work that way.”
Elsewhere in their testimony at today’s hearing, Wales and Federal CISO Christopher DeRusha advocated for technology that allows CISA greater visibility into Federal networks, and drive toward adoption of more sophisticated security architectures including zero trust concepts.
“We must raise our game,” Wales said, including getting better tools to detect attacks. “We want to look inside of networks at the endpoints, and the critical servers … in other words, inside the networks,” he said.
“Part of the challenge is you can only secure what you can see,” he said. “We need to deploy different kinds of systems to get the right insights into where threats are coming from.