Fix the Inadequate Systems that Protect .gov Networks

The current National Cybersecurity Protection System is insufficient to manage the threats facing U.S. networks today, let alone tomorrow. The Department of Homeland Security’s approach to defending our government’s network architecture, NCPS is a system of systems that uses a variety of platforms and services intended to detect, analyze, and share threat information as well as filtering malicious code before it appears on government networks. Despite the best of intentions, it hasn’t been very successful.

Under the NCPS: the Office of Personnel Management, breached; the National Weather Service, breached ; the Federal Bureau of Investigation, breached. We’re not talking about small breaches here, either. In the OPM hack alone, over 27 million personnel records were stolen, along with five million sets of fingerprints. These attacks were planned, organized, and conducted by both nation-states and non-state actors that now possess intimate insight into the inner workings of America’s networks, in addition to countless gigabytes of stolen data.

Why has the NCPS failed? Rather than functioning as a concerted and focused program, the DHS manages the system in a piecemeal fashion using outdated and outmoded technology. The services and systems DHS uses simply cannot cope with the panoply of threats that exist today and will exist tomorrow. Artificial intelligence-driven threats that occur at a pace and frequency beyond the scope of our understanding or appreciation.

The blame should not be wholly laid at the feet of DHS’ leadership. It has neither the resources nor the authority to bring the NCPS to the standard needed to combat China, Russia, Iran, or North Korea, let alone the four at the same time.

A recent Government Accounting Office (GAO) report found that since 2009, DHS spent more than $1.2 billion on the EINSTEIN program, DHS’ intrusion and protection system. Sounds like a lot, doesn’t it? Well, it isn’t. JPMorgan Chase spends roughly $500 million annually on the defense of its networks, assets, and intellectual property. Think about that: the bank spends a half billion dollars per year on a non-revenue generating business line, while the U.S. government spends about $125 million a year on the core program designed to defend the whole of the .gov domain. Naturally, it is not an apples-to-apples comparison, but it should give you a moment’s pause.

What is to be done? First, it is critical that we don’t let this current crisis (as some call it) go to waste. The Russian penetration of electoral systems across the country (paired with its other overt and covert influence operations) should heighten the focus of Congress, the executive branch, and the American people. Additional resources and authorities should be given to DHS, with concomitant oversight and accountability from Capitol Hill. DHS should be held accountable for the inefficiencies and failures of NCPS; fixing the outdated and insufficient system should be their top priority. EINSTEIN needs to be augmented, enhanced, and continually improved to meet today’s and tomorrow’s threats. The recently awarded DOMino contract is a step forward, as the NCPS needs greater capabilities quickly.

We should also recognize that this is not an American problem alone. Our Australian, British, Canadian, and New Zealander partners are facing similar threats and similar vulnerabilities. Partnering with them to share information in real- or near real-time would be invaluable in improving our ability to interdict cyber threats. These four countries also represent the other partners of the “Five Eyes” of intelligence, and we are pretty darn good about working with them on other intelligence and security matters.

The private sector must be aggressively brought in to help find new and innovative solutions to these complex challenges. We must also recognize that the current model of acquisitions is insufficient. Lengthy request-for-proposal processes take too long, are too inefficient, and are simply unattractive to high-tech innovators in Silicon Valley and elsewhere.  

The cyber threat isn’t tomorrow’s challenge; it’s today’s. It’s here, it’s real, and the sooner we recognize that and invest accordingly, the sooner we can defend ourselves.