In an email to agencies earlier this fall, CISA says email filtering and DNS sinkholing capabilities are no longer as valuable as they once were and are going a...
Two key features of the Homeland Security Department’s cybersecurity program known as Einstein are going the way of the VCR, the IPod and the teletype.
The Cybersecurity and Infrastructure Security Agency is putting two Einstein 3A services out to pasture in the coming weeks.
Specifically, CISA told agencies earlier this fall that it will be turning off two capabilities as of Dec. 22: Email filtering capabilities and domain name service (DNS) sinkholing services.
DNS sinkholing protects against the use of domain name server as a means to establish communication with compromised hosts or to distribute malware. This capability is achieved by redirecting user traffic that matches known cyber threat indicators to a safe host to prevent connection to a malicious host and collect data on the attempted malicious connection.
Email filtering protects against the use of malicious file attachments and embedded links in email content by preventing emails that match known cyber threat indicators from reaching their intended destination and collecting information on malicious activity.
Like the VCR, the IPod and the teletype, E3A was good for its time, but it has been overtaken by new tools and new capabilities and basically it’s not needed any longer.
In the email to agencies obtained by Federal News Network, CISA wrote that the reason for ending these DNS services is mainly due to the fact that over the past year, nearly all federal civilian agencies have migrated to the Protective DNS Resolution Service, which provides a commercial capability to block communications with malicious domains.
“Our Protective DNS Service Delivery Team has successfully supported more than 80 migrations to date, and this will only require a small amount of your time — on average only 60-90 minutes to execute,” CISA said.
As for email filtering, CISA said it has been closely evaluating the performance, benefits and cost of this service.
“Through this evaluation, we have identified several changes since this service was first established; in particular, civilian agencies have adopted highly capable commercial email filtering capabilities that meet or exceed those provided by E3A,” CISA wrote. “In addition, our analysis concluded that classified indicators used by the Email Filtering Service did not result in appreciable security benefits compared to commercial solutions.”
Ross Nodurft, the executive director of the Alliance for Digital Innovation and a former OMB cybersecurity branch chief, said the move to the cloud and commercial email services really is driving a lot of the need for CISA to turn off these services.
“The commercial capabilities have become as good as some of the stuff that we’re getting that had some of the government secret sauce,” Nodurft said. “I think we’ve now gotten to a point where a whole bunch of circumstances have led us to a place where people are migrating, moving to the cloud. They are using commercial capabilities that are as good, and in some cases, probably even better. And you have this price tag of — what was it years ago? — probably $30 million, roughly. CISA can take that money and repurpose it toward shared services that are frankly better for the government.”
For agencies that haven’t moved their email services to the cloud, CISA recommended agencies take the following steps:
CISA told agencies that Einstein 1 and E2 services are not going away. Einstein 1 monitors the flow of network traffic transiting to and from civilian agencies. In technical terms, E1 records and analyzes network traffic flow records and lets CISA identify potentially malicious activity and conduct critical forensic analysis after an incident occurs.
Einstein 2 identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures. In technical terms, it is an intrusion detection system.
Both are routed through agency TIC services.
Grant Schneider, the former federal chief information security officer and now senior director of cyber services at Venable, said it makes sense to keep E1 and E2 services running, but E3A was never a good fit for civilian agencies as it was for the Defense Department and the intelligence community. He said updating or redesigning E3A has been a long time in coming.
“The challenges that the program ran into early on is when you look at DoD, it has 10 internet access points. So you’ve got 10 boundaries where you can put a whole suite of equipment and defensive stuff, and you get to inspect most everything coming and going from the network,” Schneider said. “When you look at the federal civilian agencies, there isn’t a federal civilian .gov network. So every agency has multiple connections to the internet, and you then had to get E3A in front of all of those, which is why they went to the service providers. That just drove up costs because now the service providers were having to build out SCIFs in order to handle the information. I think from a cost standpoint, the model that worked in DoD for one type of architecture wasn’t ever going to transfer well into the federal civilian space.”
CISA signaled earlier this year that the end was coming for some of the EINSTEIN program. In its 2024 budget request, CISA asked for $424.9 million for its new “Cyber Analytics and Data System.” The new program is part of the “restructuring” of the National Cybersecurity Protection System, according to the documents.
Additionally, CISA has been expanding its shared services offerings, including the DNS , mobile security and vulnerability disclosure platform.
Another driving factor in the decision to turn off these E3A capabilities is what Nodurft said was the dimming of the once bright line between commercial and government cyber services.
“In a lot of cases, the solutions that were being provided, regardless of whether or not they are conceived of and developed by the government, have transitioned or migrated to commercial providers. You’ve got people like CrowdStrike, Cloudflare and some of the other ones who are offering white label solutions to the government which is providing shared services,” he said. “I think we need to consider across the stack, whether it’s network security, whether it’s data security, and extended detection and response (XDR) capabilities, whether it’s all of the above, it needs to be viewed as a partnership between the public sector and commercial tools, technologies and capabilities. That is what is going to continue to underpin how the government delivers security.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED