In search of a smarter Einstein

Einstein is the Department of Homeland Security’s intrusion detection system. It observes traffic flowing in and out of federal networks, allowing the government to target threats identified by a database of known malware. That makes it unlikely Einstein ever could have detected the malware implanted into SolarWinds Orion because it was delivered to agency networks through a trusted update.

However, overhauling Einstein to identify unknown or zero-day threats would be far too costly, cybersecurity analysts said. The most viable path forward, they argued, would be to install new capabilities, necessarily bolstered by private industry.

Kiersten Todt, formerly executive director of the Commission on Enhancing National Cybersecurity, was blunt about Einstein's record. "There are no real strong success stories of Einstein," she said. "When you look at what happened with SolarWinds, they essentially outsmarted Einstein."

"The challenge with detecting activity like the SolarWinds hack is that the hack is accomplished through 'authorized' malware," said Philip Reitinger, president and CEO of the Global Cyber Alliance.

To detect that malware, a defensive system would either have to deny all communications that are not explicitly whitelisted or establish a user activity baseline capable of singling out abnormalities for investigators to pursue. "That can be difficult to do and resource intensive," he added.

Michael Hamilton, a former vice chair for a government coordinating council focused on critical infrastructure protection, described a similar method as the most likely way forward for DHS to improve Einstein. Although its precise capabilities are classified, Hamilton speculated the program's age -- Einstein was originally developed in 2003 -- is a sign it may not be baselining user activity in the way he and Reitinger described.

Hamilton said that "it's not likely they throw it out and start over," noting the program's sunk costs. "My understanding is that it cost $6 billion to develop."

An official from the Cybersecurity and Infrastructure Security Agency declined to comment specifically on the program's methods when asked about the analysts' suggestion.

"Einstein intrusion detection and prevention capabilities primarily rely on commercial-off-the-shelf (COTS) intrusion-detection capabilities, which utilize CISA's access to cyber threat intelligence to detect, and block where appropriate, suspected malicious cyber activity," the official said.

Whatever new capability or program DHS establishes, Todt said it must be predicated on industry playing a larger role than it does with Einstein.

"Government cannot do this by itself nor should it," she said. "I think Einstein was predicated on government doing it by itself."

Mike McNerney, co-founder and chair of the Institute for Security and Technology, said another fundamental challenge Einstein faces is the government's ongoing transition to the cloud.

"While it [Einstein] may continue to be a part of the government's security approach, there are other products and technologies better suited for the cloud," he said. "Combined with greater access control initiatives, the more networked-based Einstein is arguably less useful."

The White House has started accounting for the damage done in the wake of SolarWinds attack. Within days of being sworn in, Biden ordered the new director of national intelligence, Avril Haines, to provide a sweeping intelligence review of the hack.

Sen. Maggie Hassan (D-N.H), a member of the Senate committee responsible for overseeing DHS, said Biden must "engage in a top-to-bottom review of how this was able to happen and go undetected for so long, and what needs to be done to strengthen the federal government's cybersecurity."

This article was first posted to FCW, a sibling site to Defense Systems.