The US Department of Homeland Security’s multi-billion dollar National Cybersecurity Protection System (NCPS) is failing to fully secure government networks thanks to a number of major failings, the Government Accountability Office (GAO) has claimed.
In a new report on the system issued late last week, the GAO highlighted deficiencies that would make most CISOs cringe, including intrusion detection which only compares traffic to known signatures rather than deviations away from baselined ‘normal’ behavior.
“In addition, NCPS does not monitor several types of network traffic and its ‘signatures’ do not address threats that exploit many common security vulnerabilities and thus may be less effective,” the report continued.
Intrusion prevention capabilities, meanwhile, currently do not cover malicious web traffic – although this is planned for 2016.
Information sharing was another area the DHS has fallen down in, having failed to develop most of the NCPS’ planned functionality in this area.
“Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications,” the GAO added.
“Further, DHS did not always solicit—and agencies did not always provide—feedback on them.”
The DHS was also unable to say whether the system has offered value for money because its performance measurement metrics don’t “gauge the quality, accuracy, or effectiveness of the system's intrusion detection and prevention capabilities.”
The department was also criticized for failing to plan for malware detection capabilities for agencies' internal networks or threats affecting cloud service providers.
Given these shortcomings it’s perhaps not surprising that only five of the 23 agencies required to implement the NCPS’s intrusion prevention capabilities have done so.
The report added:
“Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system.”
The GAO recommended nine steps for the DHS to enhance its capabilities, improve planning and support greater adoption of the NCPS.
High-profile breaches like those discovered by the Office of Personnel Management last year have highlighted the parlous state of US government cyber security.
The NCPS, operationally known as the Einstein program, has cost US taxpayers more than $5 billion over the past several years.