Einstein Explained: Can EINSTEIN Rescue Government Cybersecurity?

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

The real Albert Einstein was an impressive physicist who developed the general theory of relativity that serves as a core of modern physics. The Department of Homeland Security’s Einstein (also sometimes referred to as the EINSTEIN Program, even though the letters aren’t an acronym) is a bit less impressive than the human it’s named after, but could nonetheless one day lead to better protection for government networks and data.

Einstein, as it was originally designed, is supposed to do two things for government agencies. First, it can ferret out malicious traffic coming into or leaving government networks. Secondly, it’s supposed to give DHS a holistic overview of government health and a situational awareness about threats across the entire government.

Einstein was born as part of the E-Government Act of 2002 in an effort to improve the security and stability of government networks. It’s in the news again in the wake of the recent data breaches at the Office of Personnel Management. Einstein was on the case and was able to trace the attack on OPM systems so analysts could create a signature to block the same malicious code from infiltrating other agencies.

Unfortunately, this happened after millions of government workers’ records had already been stolen. So that’s not exactly a win for the program.

The biggest problem with Einstein from a technical standpoint is that it relies on signatures to detect malicious traffic, not unlike most anti-virus programs do today. The successful attack at OPM used previously unknown and targeted techniques as part of an advanced persistent threat that likely originated from a well-funded team supported by its rival government. Against a modern APT, signature-based protection is nearly worthless until well after the fact.

In response, DHS is improving Einstein and upgrading it to EINSTEIN 3 Accelerated (Einstein 3A). The newest version of the program is capable of detecting malicious behavior based on heuristic analysis and other classified indicators that can unmask previously unknown threats.

By routing all civilian government traffic through Trusted Internet Connections protected by Einstein 3A, the program should have a good chance of stopping malicious programs from ever reaching an agency in the first place.

Once detected and blocked, the second part of Einstein would then make DHS analysts aware of a possible ongoing campaign against civilian agencies so they could use human intelligence to act accordingly and protect all government networks.

Einstein 3A should begin to see rapid deployment at civilian agencies. While the military is not required to use Einstein, the administration plans to spend $582 million in 2016 to drive adoption of Einstein 3A as well as the related Continuous Diagnostics and Mitigation program at civilian agencies.

“DHS is accelerating Einstein 3A deployment across the federal government,” DHS Assistant Secretary for Cybersecurity Andy Ozment told the Senate Committee on Homeland Security and Governmental Affairs in June.

One possible snag to deploying Einstein 3A isn’t technical, but instead legal. Certain agencies such as Health and Human Services need to comply with the Health Information Portability and Accountability Act, for example, and questions have arisen how adding DHS monitoring into the middle of that traffic might be interpreted by the courts if faced with a legal challenge.

To help pave the way for Einstein 3A legally, Homeland Security Chairman Ron Johnson R-Wis., and ranking Democrat Tom Carper of Delaware introduced in the Federal Cybersecurity Enhancement Act of 2015 (S.1869) in July. That bill would require agencies to deploy Einstein 3A within a year of passage and mandates that “notwithstanding any other provision of law that would otherwise restrict or prevent” disclosure of information to DHS, the information gathered by Einstein can be legally shared, but can only be used by DHS “to protect information and information systems from cybersecurity risks.”

That bill quickly passed the Homeland Security Committee and is now waiting for the full Congress to take action.