The U.S. National Cybersecurity Protection System (NCPS), managed by the Department of Homeland Security, is only partly successful in detecting and preventing intrusions at federal agencies, according to the Government Accountability Office (GAO).
“Cyber-based attacks on federal systems continue to increase,” the GAO said recently in publishing its findings, which are derived from a limited-circulation report completed last November. However, the new iteration omits “certain information on technical issues” which were in the earlier document.
“GAO has designated information security as a government-wide high-risk area since 1997,” it explains. “This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.”
Senate and House of Representatives reports accompanying the 2014 Consolidated Appropriations Act included provisions for the GAO to review NCPS implementation, which involved interviews with officials and scrutiny of documentation at the DHS and five agencies.
The NCPS is used to compare network traffic against known patterns of malicious data, or “signatures,” but the GAO found that it does not detect deviations from predefined normal network baselines.
As for NPPS prevention of intrusions, that was limited to the types of network traffic it monitors. “For example, the intrusion prevention function monitors and blocks e-mail,” the GAO said. “However, it does not address malicious content within web traffic.” It noted that the DHS plans to deliver that capability this year as well as enhancing its data analytics.
The GAO also found that the DHS and agencies did not always agree on whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit, and agencies did not always provide, feedback.
No fewer than 23 federal agencies, having adopted the NCPS “to varying degrees”, had routed some suspicious traffic to NCPS intrusion detection sensors, but only five were receiving intrusion prevention services and agencies generally had not taken all the technical steps to implement the system. “This occurred in part because DHS has not provided network routing guidance to agencies, the GAO said. “As a result, DHS has limited assurance regarding the effectiveness of the system.”
Accordingly, it recommended, among other things, that Homeland Security Secretary Jeh Johnson – whose appointment by President Barack Obama was confirmed by the Senate in mid-December – direct his Office of Cybersecurity and Communications to develop “clearly defined requirement for detecting threats on agency internal networks and cloud service-providers.”
(The full GAO report and recommendations can be found at http://www.gao.gov/products/GO-16-294.)