DHS Plans to Rejigger Government’s Cyber Sensor System for Move to Cloud


The government’s current system of Einstein cyber threat sensors isn’t well-suited to the scale and complexity of cloud systems.

As government agencies move more of their digital systems to computer clouds, the Homeland Security Department is rethinking how it deploys cybersecurity sensors to detect attempts to compromise those systems, a top official said Tuesday.

Currently, Homeland Security’s systems of cyber threat detection sensors, known as Einstein, cluster around a series of trusted internet connections that route information between federal agencies and the broader internet.

The government has less visibility into cyber threats if they sneak past those connections.

The system of trusted internet connections is ill-suited, however, for massive computer clouds, which shift data around far more dynamically.

As a result, Homeland Security is working with cloud companies on a new sensor concept that can catch cyber threats without relying on a series of chokepoints, said Jeanette Manfra, who leads Homeland Security’s cybersecurity division.

“It’s not just ‘hey, let’s take the same concept and funnel all of our traffic through a couple nodes that we can trust, because that’s not how cloud works,’ ” Manfra told reporters along the sidelines of a Palo Alto Networks cybersecurity conference.

The plan mirrors a broader government goal of moving from what’s called perimeter defense—essentially placing security checkpoints at the edge of federal networks—to a more complicated and layered defense system that can spot and respond to threats anywhere from the edge of the network to the phone or laptop that an employee is using.

A useful analogy might be a passport check that can catch a jewel thief as she enters a country versus a complex intelligence and law enforcement communication system that can catch her at multiple points inside the country.

The Einstein system is currently on its third phase, known as E3A.

The system may only be capturing a small fraction of the total cyber threats detected by Homeland Security and agency cyber systems.

Einstein and other Homeland Security threat detection systems detected just 379 of 39,171 cyber incidents across federal civilian networks between April 2017 and September 2018, according to a September letter from federal Chief Information Officer Suzette Kent to Senate Homeland Security Chairman Ron Johnson, R-Wisc.

The Homeland Security effort comes as the White House is seeking public feedback on an updated cloud computing strategy known as Cloud Smart.

The policy updates a 7-year-old Obama-era cloud policy, which was written when federal agencies were just starting to contemplate whether they could move some operations to cloud infrastructure.

Since then, agencies have moved dozens of email, collaboration and other systems to industry computer clouds and also invested in building government-only clouds for classified data and government-industry hybrid clouds. The government has also started vetting the security of cloud vendors through a process called the Federal Risk and Authorization Management Program, or FedRAMP.

The updated cloud policy is focused on how moving systems to the cloud can not just save money but also improve mission outcomes, Kent has said.