Project Einstein for Network Security

The Einstein Program is an intrusion detection system that monitors the network gateways of U.S. government agencies for unauthorized Internet traffic. Einstein 1 examined network traffic while Einstein 2 can look at the content of incoming and outgoing transactions. *

In 2007 an upgraded version of Einstein 2 was required for all government agencies except for the Department of Defense as well as all intelligence agencies.  That excludes 60% of all US IT spending.

By 2008 Einstein was deployed in fifteen out of the nearly six hundred agencies. With such slow progress the Department of Homeland Security (DHS) has asked for $459 million for FY12 to include the installation of Einstein 3 and increasing agency participation. Congress my not, however, support enlarged Einstein funding.

Einstein is the result of the E-Government Act of 2002. It is under the management of DHS, which is responsible for the safeguarding all civilian agencies, which have over 2 million users. Einstein involves the centralization of all connections to the Internet in order perform consolidated real-time intrusion prevention for all incoming and outgoing communications.

It supports 4 Federal Computer Incident Response Centers (FedCIRC).

Einstein 3 uses an intrusion prevention system to block all malware from ever reaching government sites.

The technical problems with Einstein implementations are as follows:
1. While Einstein 2 is only partially implemented, the testing of Einstein 3 has not been implemented.
2. It is unlikely that Einstein 2 or 3 will have the capacity to defend against denial of service attacks (DoS). Criminal bot masters can now rent out as many as 5 million bots. Government cyber attackers can command more than that. Potentially, each bot can generate up to 10 MBs traffic. This could produce an onslaught of over 50,000 Terabytes/second on a single IP address. That is not scalable.
3. One way of detecting intrusion anomalies is through correlation. New intrusions are compared with prior cases. Unless supercomputers are employed for this purpose, Einstein does not have the capacity to make correlations for a network that serves two million users.
4. Einstein depends on the authentication of signatures from trusted as well as untrusted commercial sources. That is not acceptable

SUMMARY
It is unlikely that Einstein can be expected to protect the civilian sector of the government against cyber attacks. Current discussions promoting extensions of Einstein into the US critical infrastructure (electricity, energy, communications, etc.) have little merit.


* Einstein, http://en.wikipedia.org/wiki/Einstein_(US-CERT_program)
** Communications of the ACM, August 2011, p.30