Major Homeland Security cybersecurity plan runs into problems
It cannot be said that the federal government does not take the issue of cybersecurity seriously. On the contrary, every agency now devotes significant resources to protecting their digital assets, while more security-focused departments are consistently working on ways to better secure the nation's networks en masse. In many cases, though, these efforts have proven insufficient in the face of increasingly sophisticated cyberattacks.
Recognizing the federal government's cybersecurity shortcomings, the Department of Homeland Security has been working on a major new program to better protect federal computer networks from external attack. However, as Politico recently reported, this program is now stalled, due primarily to a legal dispute.
The source reported that this cybersecurity program, known as Einstein or E3A, is supposed to prevent malicious Internet traffic from reaching federal agencies' computer networks, thereby thwarting cyberattacks as early as possible. This program has been in development for at least two years and has an estimated cost of $3 billion.
However, as former DHS Undersecretary for Management Chris Cummiskey recently revealed, this project is no longer moving forward as a result of a legal conflict between DHS and AT&T, Politico noted. For this program to take effect, AT&T must implement certain components of the E3A system. According to Cummiskey, AT&T is not willing to take these steps until it receives a formal guarantee of liability protection – a guarantee that DHS is not yet able to provide. Cummiskey told the source that DHS officials have approached the Justice Department with this issue, which has taken the matter under review.
The source pointed out that neither CenturyLink nor Verizon, both of which are major telecom providers for federal agencies, demanded any form of liability protection before signing an agreement to deploy and operate the E3A system. However, AT&T is the largest provider of telecom services to the federal government.
This means that the lack of commitment from AT&T ensures that numerous departments would remain inadequately protected from hackers and other cyberthreats unless they divert their traffic through one of the other telecommunications service providers. For example, the Department of Veterans Affairs, which is one of AT&T's biggest customers, now redirects its outbound traffic through CentruyLink in order to ensure it is scanned by the E3A system, Politico reported. This does not currently apply to inbound traffic, although VA officials plan to correct this oversight in the near future.
A complex issue
The scope of the E3A system, and the roadblocks it has now run into, are indicative of many of the challenges that have plagued federal efforts to effectively protect agencies' networks from hackers.
For starters, there is the issue of cost. At $3 billion, this is obviously a major project. This reflects the simple fact that cybersecurity can be a costly endeavor. But while the DHS and other national security agencies can devote such funding to the issue of cybersecurity, this is not the case for many other departments. Yet these other groups are also responsible for protecting their networks and sensitive data from the threat of cybercriminals. For these agencies, the key to effective cybersecurity is doing more with less. In many cases, though, organizations lack the in-house expertise to design and maintain complex cybersecurity programs without going over budget.
Another key point is the level of interconnectedness among federal agencies. As this incident revealed, cybersecurity problems in one area can have far-reaching consequences, putting numerous groups at risk. This once again highlights the importance of each agency acting independently to secure its own networks and assets.