The Cybersecurity and Infrastructure Security Agency is looking to position a new “Cyber Analytics and Data System” at the center of national cyber defenses, as the agency’s post-EINSTEIN plans come into focus in its fiscal 2024 budget request.
CISA is seeking $424.9 million in the 2024 budget for “CADS.” The program is envisioned as a “system of systems,” budget documents explain, that provides “a robust and scalable analytic environment capable of integrating mission visibility data sets and providing visualization tools and advanced analytic capabilities to CISA cyber operators.”
The new program is part of the “restructuring” of the National Cybersecurity Protection System, according to the documents. More commonly known as “EINSTEIN,” the NCPS has been in place to defend federal agency networks since the Department of Homeland Security’s inception in 2003.
Portions of the NCPS, including core infrastructure, analytics, and information sharing, will transition to the new CADS program. Meanwhile, the EINSTEIN intrusion detection and intrusion prevention capabilities will remain under the legacy NPCS in 2024.
Chris Cummiskey, a former senior official at the Department of Homeland Security, said the budget request answers big questions about the future of EINSTEIN that have swirled around the program for the past several years.
“The notion was that EINSTEIN eventually would have to turn into something else,” Cummiskey said. “And I think we have our answer now. . . . EINSTEIN as we have known it in the federal space for the last 15 to 20 years is turning into something much different.”
The new CADS system will allow CISA “to more rapidly analyze, correlate, and take action to address cybersecurity threats and vulnerabilities before damaging intrusions occur,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, told Federal News Network in an emailed statement.
The system will integrate data from multiple sources, including “public and commercial data feeds; CISA’s own sensors such as Endpoint Detection and Response, Protective [Domain Name System], and our Vulnerability Scanning service, which has thousands of enrolled organizations across the country; and data shared by both public and private partners,” Goldstein continued.
CADS will also provide a single data repository for CISA’s cyber analysts, who currently have to pivot from one system to another to manually compare data and threat information, Goldstein noted.
“Tools and capabilities provided through CADS will facilitate the ingestion and integration of data as well as orchestrate and automate analysis that supports the rapid identification, detection, mitigation, and prevention of malicious cyber activity,” he said.
An industry source noted the CADS program will provide CISA with an engineering and software development hub for fulfilling tooling and analysis requirements at a time when the agency is growing rapidly.
“As CISA has become more mature, those asks have become more advanced,” the source said. “What they’re looking to do is to make that organization a robust, agile resource. Software development as needed, tool development as needed, infrastructure development as needed.”
CISA is also requesting $67 million in 2024 to continue operating the NCPS. But the agency plans to replace EINSTEIN’s legacy intrusion detection and prevention tools.
For intrusion prevention, CISA agency plans to initiate “decommissioning” of the EINSTEIN Accelerated (E3A) email filtering tools in 2024 and transition to commercial, unclassified services, including CISA’s new Protective DNS service, budget document’s note.
Meanwhile, CISA will continue operating EINSTEIN’s intrusion detection capabilities, while it explores new options to meet the “expanded use of cloud technologies” in the federal government, the documents note.
The EINSTEIN program has been central to one of DHS’ primary missions over its two decades of existence: defending the networks of federal civilian executive branch agencies. The system logs network traffic going into and out of agency networks, alerts agencies when it identifies malicious traffic, and blocks some known cyber attacks.
But a key limiting factor for EINSTEIN, the Congressional Research Service noted in a 2018 report, is NCPS has to “have seen and analyzed the malicious traffic before, rather than being able to identify novel malicious traffic at first encounter.”
In other words, EINSTEIN “can only block known threats.”
Lawmakers questioned the approximately $6 billion invested into EINSTEIN. CISA officials defended the system, noting it was never designed to block a novel supply chain attack.
“I think we need to keep the pieces of EINSTEIN that continue to work and provide significant value and we need to transition those areas that don’t into different programs,” CISA Executive Director Brandon Wales said during a March 2021 Senate hearing.
In a report released earlier this month, the DHS office of the inspector general found the SolarWinds breach “demonstrated the need for significant improvements in CISA’s network visibility and threat identification technology.”
In response to the OIG report, CISA highlighted the development of the CADS program. The agency said it was preparing a cost estimate and schedule for “continuous delivery of CADS” to be reviewed and approved by DHS’ Office of Program Accountability and Risk Management by March 31.
The IG report notes CISA received $25 million in “bridge funding” in 2023 to continue investing in infrastructure and analytics capabilities until the 2024 budget is approved.
Details on how CISA plans to acquire the new pieces of CADS aren’t yet publicly available. But if CISA can secure its requested funding for the system in 2024, Cummiskey said it will likely spark the beginning of major acquisition activities.
“Just as they did with [Continuous Diagnostics and Mitigation] and EINSTEIN in the past, I think this will be another large opportunity for industry to play a significant role in how this particular initiative takes take shape,” he said.