DHS cyber chief outlines plan for cyber security upgrades

By Calvin Biesecker

Over the next several years the Department of Homeland Security will be rolling out improvements to the federal government's primary cyber intrusion detection system, called Einstein, with upgrades being made in parallel with one another rather than sequentially, the acting chief for cybersecurity at the department said yesterday.

In the past six months DHS has been defining the requirements, identifying capability gaps and establishing its acquisition plans for cyber security, Rear Adm. Mike Brown, acting assistant secretary, Office of Cybersecurity and Communications, said at an unclassified industry day briefing on DHS' cybersecurity requirements and acquisition plans. The acquisition program that was established is the National Cybersecurity and Protection Program (NCPP), which Brown described as, "evolving acquisition program."

The second block of the Einstein intrusion detection system is in testing now within DHS, which has identified five federal agencies for the initial rollout. Einstein 2.0 will provide the federal government with real-time detection of cyber intrusions of its computer networks. The existing intrusion detection system, Einstein 1.0, doesn't have real-time alerting capabilities.

As the testing and rollout of Einstein 2.0 is underway, DHS is beginning the engineering of Block 2.1 and shortly thereafter Block 2.2. The first incremental upgrade will add an automated visualization and correlation capability, which basically will provide data interpretation. Block 2.2 will create an interoperable information sharing environment across departments, agencies and data centers, according to Brown's briefing slides.

"So when we're talking about moving from Block 2.0 to 2.1, it's about having the ability to have the integrated visualization tools, simulation tools, and many other capabilities, including the infrastructure to support the requirements that we have," Brown said.

National Cybersecurity and Protection System Block 3.0, which is the formal name given to Einstein, will provide the federal government with an intrusion prevention service. Block 4.0 will add real-time capability, information sharing, data center upgrades, technology insertion and refresh, according to the briefing.

Brown didn't provide any specific timelines for the engineering and rollout phases of the various block upgrades, but DHS has said it hopes to move from the new Einstein 2.0 capabilities to Einstein 4.0 within five years.

Everything is "moving in parallel," Brown said.

Yesterday's vendor day "begins the dialogue" between DHS and the private sector that allows the department to outline its cybersecurity requirements and better understand the capabilities that industry brings to the table, Brown said. Brown's presentation was followed by one-on-one breakout sessions with companies that signed up to brief DHS cybersecurity officials on their respective capabilities.

Brown emphasized that the NCPP is more than just technology and devices and includes people, processes and activities that will enable DHS to "execute the cyber mission of defending, protecting and reducing cyber vulnerability." Establishment of the NCPP follows the Bush administration's issuance early last year of new national security and homeland security directives, NSPD-54 and HSPD-23, formalizing a Comprehensive National Cybersecurity Initiative (CNCI).

The CNCI has three main goals: creating a defense that reduces current vulnerabilities and preventing intrusions, defending against all threats by using intelligence and strengthening supply chain security, and shaping the future environment by enhancing research, development and education and investing in new technologies.

DHS plans to use existing contracting vehicles, at least in part, to acquire capabilities and services for the NCPP, namely the EAGLE and First Source contracts, David Ritter, associate director of the Office of Cybersecurity and Communications, said. DHS will also advertise future market research opportunities for industry feedback on its web site and in the FedBizOpps, he said.