Published by The Lawfare Institute
in Cooperation With
Over the past year, Russia and the People’s Republic of China conducted successful cyber espionage campaigns against federal agencies, compromising some of the United States’ most sensitive information.
The American public may wonder why federal networks remain vulnerable to serious data breaches despite the government spending billions on cybersecurity programs. But new reports from key congressional committees reveal lawmakers’ apparent concerns that the Department of Homeland Security’s key cybersecurity technologies are insufficient to guard against nation-state attacks.
The House Appropriations Committee included alarming language in its report accompanying the fiscal year 2022 funding bill for the Department of Homeland Security, which passed the committee last month. “The Committee is increasingly concerned with the ability of adversaries to circumvent and use existing cybersecurity solutions to gain access to critical systems and data,” the report notes. The appropriators requested more information from Homeland Security about the department’s main cybersecurity technology programs to understand if they are working as well as “an examination of emerging technologies that could improve the government’s data security and protection."
In August, the Senate Homeland Security and Governmental Affairs Committee, led by Sens. Gary Peters and Rob Portman, issued a bipartisan staff report reviewing the state of the federal government’s cybersecurity. The news wasn’t good. Across the federal government, the committee found that large agencies were earning a grade of “C-” and that agencies had made little progress since 2019. The Senate panel also detailed major weaknesses in the Department of Homeland Security’s technology programs. “[The department’s] flagship cybersecurity program for Federal agencies—the National Cybersecurity Protection System (NCPS), operationally known as EINSTEIN—suffers from significant limitations in detecting and preventing intrusions,” committee staff warned.
These congressional committees and panels, which are responsible for funding and overseeing federal cybersecurity, are raising serious concerns that should be a wake-up call to the American public. The federal government’s secrets and the public’s data remain at risk. A closer look at the Department of Homeland Security’s cybersecurity technology projects shows that taxpayers have been spending billions on insufficient cybersecurity technologies despite long-standing concerns.
A Closer Look at Homeland Security’s Cybersecurity Technology Programs
The Department of Homeland Security operates two main technology programs intended to help secure federal civilian agencies.
Launched in 2012, the Continuous Diagnostics and Mitigation (CDM) program is aimed to help federal civilian agencies and the administration improve cybersecurity by supplying tools that provide visibility across agency networks, reduce threat surfaces, and modernize compliance with federal information security rules and reporting to the Office of Management and Budget. Through the CDM program, the Department of Homeland Security helps agencies deploy these tools, including agency dashboards, by using shared services through federal contract opportunities coordinated by the General Services Administration. The Government Accountability Office (GAO) estimates that the program has cost more than $10 billion to date.
The Einstein program, which began in 2003, is an intrusion detection and prevention system intended to filter traffic entering federal civilian agency networks and block potential attacks. Homeland Security uses information about potential threat actors, including from classified sources, and partners with internet service providers to provide a basic perimeter defense for civilian agencies. Despite an estimated lifecycle cost of more than $6 billion, the Department of Homeland Security warns that the Einstein program “is not a silver bullet” and “will never be able to block every cyber attack.”
One reason why Einstein provides only a basic filter of perimeter defense is that it is currently designed to spot and block known threats. “Just as the police would not have fingerprints to identify a burglar they had never seen before, [the Einstein program] generally cannot detect a hacker no one has seen before,” the Senate committee warns. “Even known hackers can take easy steps to disguise their fingerprints—changing their tactics, techniques, and procedures as easily as a burglar might don gloves.”
Congress has been concerned about these weaknesses in the Einstein program for years. In 2015, Congress passed a law requiring the Department of Homeland Security to test and update the Einstein program’s technologies to improve its detection capabilities. But as of 2018, the GAO found that the department was still years away from having the ability to “assess agency network activity and identify any anomalies that may indicate a cybersecurity compromise” as Congress required back in 2015.
The costly CDM program also has a mixed track record. A 2020 GAO audit of three agencies’ attempts to deploy CDM found that the agencies had only partly deployed the technology tool. As a result, the information on their agencies’ dashboards was incomplete. A recent Office of the Inspector General review of Homeland Security’s own implementation of CDM identified big problems, despite the department spending $180 million on the project and being in charge of managing the program for other civilian agencies. The watchdog found that Homeland Security components were not using CDM services effectively. “Until these capabilities are complete,” the inspector general warned, “the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time.”
Even the Department of Homeland Security has acknowledged these key cybersecurity technologies may need to be updated. A Cybersecurity and Infrastructure Security Agency (CISA) official recently testified that Einstein’s technology, which was “designed a decade ago” has “grown somewhat stale over time and does not provide the visibility that CISA needs.” In January, Homeland Security Secretary Alejandro Mayorkas committed to reviewing both the CDM and Einstein programs to determine if they are the right technologies to protect against current threats.
Looking Forward and Lessons Learned
If there is any good news in these developments, it’s that there’s growing bipartisan focus on updating the federal government’s apparently outdated cybersecurity technologies.
The recent congressional reports provide clues about what technologies and strategies may be coming next. The House Appropriations Committee’s report directs the Department of Homeland Security to study emerging technologies “such as data shielding and immutable logging of suspect activity, instant threat and anomaly detection, and user behavior analytics” as options to improve federal data security. The Senate Homeland Security and Governmental Affairs Committee report recommends that the department present a plan to update the Einstein program and justify its costs, while also recommending that the department help federal agencies use commercial off-the-shelf products and services for endpoint detection and other cybersecurity needs.
But the federal government’s long-standing challenges to acquire the necessary technology to improve its cybersecurity posture or to comply with basic federal information security laws highlights bigger, strategic questions for Congress.
For starters, is the federal government’s current organizational approach to cybersecurity appropriate? Responsibilities for securing federal data are decentralized with no single agency or office in charge. CISA has been assigned growing operational responsibilities over the past decade. But the agency also has many competing responsibilities and remains a component within the Department of Homeland Security, where cybersecurity remains just one of several pressing national security missions. National Cyber Director Chris Inglis, who was recently confirmed to lead the newly formed office, is well positioned to set governmentwide strategy and policy. But his office currently has limited funding and staffing. Congress should consider whether his office needs greater authority and resources to lead.
Congress should also consider whether the federal government’s laws and policies for managing major technology acquisitions programs allow agencies to appropriately adapt and keep pace with dynamic security challenges. At the same time, Congress and the administration must redouble ongoing efforts to attract the right talent and personnel into federal agencies and congressional offices to better inform policymakers about how to manage cyber risks and appropriately oversee these complicated issues.
What’s apparent from recent major data breaches and the federal government’s ongoing challenges to defend its own networks is that the current approach isn’t working. Addressing the immediate technological vulnerabilities should be the top priority. But lawmakers shouldn’t delay answering the larger strategic questions about why the federal government has struggled with cybersecurity for so long.